Authentication protocols have evolved rapidly since the first authentication using password was introduced in 1961 by Fernando Corbato, an MIT researcher. In 1960s, computers were huge and outrageously expensive with many users accessing the centralized computers through not-so-smart terminals. Passwords were used to protect user files on this multi-user time-sharing system.
1980s introduced the use of OTP (One Time Password) to leverage security and prevent attackers from guessing, stealing, or intercepting password. The IT industry quickly adapted this methodology and OTP became widely used in many organizations and companies. Different OTP standards were developed, which eventually led to OAuth, a standard to standardize types of OTP. This period also saw the emergence of 2FA (Two Factors Authentication) and MFA (Multi Factors Authentication), which became popular in cybersecurity industry over the past decades.
Whether to protect an email account or perform a bank transaction, most of us have to deal with multi factor authentication. MFA has reduced the risk of identity theft and account take overs drastically. However, for a long time, users have to choose between security and usability when using MFA. 2FA is MFA in a more restrictive form where 2 very specific factors are chosen, thereby, reduce the IT administrator resources.
Yubico as the Gold Standard for MFA
Many users contemplate on whether or not using MFAs as their method of authentication. Some reject the idea of MFAs because it is considered a hassle that will interfere with their workflow. Others overlook MFA due to its complexity and cost associated with it.
Yubico, as the front runner of cybersecurity experts, continuously innovates by providing advanced products which provide the highest security standard in the market without sacrificing their usability.
In 2012, Yubico pioneered U2F (Universal Second Factor) to enable internet users to securely access online services with single security key instantly, with no drivers or client software needed. In 2013, Yubico joined FIDO Alliance and brought the idea of an open, second factor authentication protocol. This authentication method is then used as a global standard that brings the security of public/private key cryptography in hardware to the masses with no more than a USB and port, or NFC is required.
Moving further, Yubico expands its leadership in cybersecurity industry by using FIDO2/CTAP2 and W3C WebAuthn. This evolutionary innovation enables passwordless authentication by device PIN, biometrics, and other authentication technology built into devices like phones and computers.
Utilizing this new standard, Yubico creates a solution that delivers phishing resistant authentication on all major desktop and mobile platforms.
What’s Next forModern Authentication?
The COVID pandemic has accelerated cyber security breaches and there is increased awareness about cyber security. The phase “Security Key” has become more popular to define an external FIDO-enabled hardware devices, such as YubiKey. The terminology of Passkey is also being introduced and defined as any WebAuthn/FIDO credentials, regardless of whether they are on a Security Key, bound to your device’s hardware, or just stored in files on your devices.
Initially, Yubico was also working on using phones as authenticators. We were in the progress of making biometric authentication built into phones. However, a major drawback of using phone authenticators is its fragility and replaceability. The most challenging part of using phone as a Security Key is re-registering them everywhere, even when the phone is lost or being replaced by a new one. For this reason, we recommend that phone can be used as one of several authenticators added to your accounts.
Up until now, Security Keys and Platform Authenticators are bound to specific hardware, which is why it is called single-device Passkey. This methodology, such as used by YubiKey, has a robust security standard and is simple to understand. No device, No access. This practice adds an extra security layer and ensure that only the right person can access the right information.
Another solution is called multi-device Passkeys. Using this new scheme, a credential can be copied and not bounded to specific hardware. However, unless a phishing resistant authentication is used to protect the account that sync passkeys, people can still fall for cyber criminal’s tricks.
Security keys, such as YubiKey, are ground-breaking innovation in cybersecurity industry for its ease-of-usage and high security standard. Unlike multi device passkey, YubiKey is not dependent on network connection, making it ideal to use even in remote locations. YubiKey can also be used in a remote working and shared workstation setting, allowing multiple users to access the same devices with strict security measurements. YubiKey can also work well across all computers and phones.
As a conclusion, MFA/2FA are required for organizations to add another layer of security, making it harder for cyber criminals to breach your credentials. It is far more secure than just relying on password. In an ideal world, everyone is able to use the most complex and advanced technology in all scenarios. But in reality, there is always a trade-off between usability, security and related cost. YubiKey is easy to use and have stronger authentication, compared to multi-device passkeys. It can act as a WebAuthn / FIDO authenticator, a Smart Card, an OTP device, etc in one device. However, if you are still unsure to choose which authentication method will suit your organization, please feel free to contact us.