Saturday, 25 July 2015

Yubikey Edge

Yubikey Edge

Mark Crutch tries to improve the security on several cloud services with just one handy little device

Sites get hacked and password databases stolen, so it's wise to take additional steps to secure your logins with "second factor" authentication wherever you can. The trouble is that there are a wealth of second factor options available, and you need to make sure you have the right one for the site you're using. The Yubikey Edge is one such option, and it has some limited configurability that might enable it to do the job of several other devices.

Physically the Edge looks like a slimline USB memory stick. It's a couple of millimetres thick, but with enough rigidity to survive life alongside keys and coins in an average purse or pocket. There's a small touch-sensitive panel on one side, which acts as a button to trigger its operations.

The Edge has two software "slots" for holding different authentication protocols, and comes preconfigured with Yubico's proprietary OTP (one-time password) authentication system in Slot 1. This works on a limited number of sites, most notably LastPass. com (provided you subscribe to its Premium tier for $12 per year). In this mode the Edge behaves like a USB keyboard, so it works across operating systems without the need for drivers. After supplying your username and password you're prompted to touch the button on the device, at which point a one-time password is "typed” into the computer and authenticated against Yubico’s servers.

Secure your own site


Several plugins and libraries are available that can be used to add support to other sites, including those built on Django, Drupal and WordPress. There’s also a PAM module that can be used to add an extra layer of login security to your computer - ideal if you expose an SSH connection to the world. If you don't want to use Yubico's authentication servers for your projects, Yubico has a GitHub repository containing the source for a BSD-licensed authentication server.

A graphical configuration tool is used to set either slot to support Yubico's onetime password, a static password, OATH or a challenge-response protocol. Note that some of these modes require support applications to be installed on your machine, which isn't always as simple as it should be. Nevertheless, having a choice of protocols means that the Edge can be used across many more websites than a singleprotocol device. Installing the configuration tool was easy on Linux Mint, thanks to Yubico's use of a PPA for Ubuntu-based machines, but the tool is perhaps a little too comprehensive, and could do with a simpler “Wizard" mode to step through the setup for some mainstream websites.

All these features are also available on the classic Yubikey at a lower price, but the Edge offers one more protocol that doesn't occupy either of the two slots: Fido U2F. You can already use it with Google accounts.

In a world of cloud services it makes sense to use two-factor authentication when you can. With support for two protocols plus U2F there's bound to be some way in which the Yubikey Edge can be used to help secure the computers or websites you use.

For Google and LastPass this works brilliantly, but for other sites it's more complex than it should be.