How YubiKey Bio could make remote security concerns a thing of the past
Portable biometrics put fingerprint 2FA in your pocket.
By Michael Simon
PCWorldMar 31, 2020 6:50 am PDT
The YubiKey Bio is a security product seemingly made for the growing number of people working from home during the coronavirus threat, but the security issues facing remote workers are hardly new. Even if they’ve figured out everything else—bought a second monitor, rearranged some furniture, or upgraded their router—security remains an oft-forgotten, but vital detail.
The transition from working in an office to working at home creates a juicy opportunity for attackers intent on stealing your personal information. “With a rapid shift toward remote workforces, the attack vector grows larger and we’re already seeing an increase in targeted phishing attacks,” said Guido Appenzeller, chief product officer of Yubico. “Not to mention, operating remotely is new territory for many companies, involving steep learning curves and confusion. This is the perfect scenario for an attacker to thrive in and opens opportunities for social engineering and phishing attacks.” That’s why Yubico is developing a security key with built-in biometrics for the ultimate portable encrypted key.
The bottom line is, your office brings a level of built-in security that’s not as readily available at home. Even if your Wi-Fi is WPA2-encrypted with a strong password, the security on your PC and personal accounts likely pales in comparison to the firewalls and intranets inside your office. “This is the perfect scenario for an attacker to thrive in and opens opportunities for social engineering and phishing attacks––making it imperative for businesses to develop a contingency plan that includes securing remote workers,” said Appenzeller. “Enabling multi-factor authentication wherever possible is one of the best ways to protect a remote team and should be a top requirement for a work-from-home policy.”
Of course, we already know that. Beyond your company’s specific authentication strategy, you’ve probably already set it up on your mail and social media accounts using SMS or an authenticator app. That’s a great start. But in a world where remote work is blowing up, even two-factor authentication via SMS might not offer enough protection from the sudden collision of your professional and personal accounts.
Yubico’s Appenzeller says there are better solutions out there. “If I had to pick one authentication method, I would pick FIDO2,” he said. “It’s really well thought through and finally combines the notion of external authenticators like the YubiKey with the internal authenticators on devices.”
Security on a string
The FIDO standard (Fast ID Online) replaces single-factor password-only logins with an incredibly secure experience that is virtually hack-proof. FIDO2 takes it a step further by allowing users to log onto Internet accounts using on-device biometrics such as Windows Hello or Pixel Imprint for certain applications, or with a pocketable security key, such as a Yubico YubiKey or Google Titan Security Key.
Instead of retrieving a code via text or app, your security key does all the work. When you choose a physical key as your authentication method, your browser or device will ask you to plug in (USB) or hold your USB key nearby (NFC or Bluetooth), then prompt you to touch the sensor on the key to authenticate your login. An attacker would need both your password and your physical key to log into your account on a new device.
Security keys could start becoming the norm as businesses grapple with a scattered workforce. Companies will be scrambling to beef up their remote encryption efforts to ensure older devices and newer accounts are as secure as possible.
Back at Microsoft Ignite in November, 2019, Yubico unveiled YubiKey Bio, which adds biometric authentication to the dongle itself. When it releases sometime this year, YubiKey Bio will look a lot like the regular USB-A YubiKey Security Key with one exception: the gold touch sensor will have an actual fingerprint sensor, so no one else will be able to use it even if it’s stolen.
“Our goal is to deliver a very similar user experience in terms of form factor and robustness as we do with the current key,” Appenzeller explained, adding that FIDO2 makes it very hard to crack. “FIDO2 has this notion of fingerprints being identified or you have exceeded the maximum number of tries and so on, which previously wasn’t there. So these two things coming together was sort of a no-brainer for us.”
It might be a no-brainer for businesses too. While most laptops still don’t have biometric security built into them, YubiKey Bio could be a way to bridge that gap and bring modern biometrics to older laptops without needing to swap out the whole system.
By taking the biometric out of your laptop and putting it onto a pocketable device, it addresses threats and complexity. If someone steals your laptop, it’s useless. If you forget your password, you’ll still be able to log in. And if you switch to a different device, your authentication will move with you. “With the biometric key, you can basically add that extra layer of security and no longer need a PIN (to log on). Showing the presence of the fingerprint plus possession of the key is enough,” said Appenzeller.
In an uncertain world where workers are being asked to be more versatile than ever before and businesses need to manage a workforce that’s gone from feet to miles apart, YubiKey Bio could bring the security we want and the sanity we need. While it will work only with USB-A at launch, a USB-C model is in the works.
Yubico’s Appenzeller imagines YubiKey working with a wide range of devices. “Long term, more and more consumers will have some form of hardware token that they use in order to protect their asset,” he predicted.
Appenzeller believes the YubiKey Bio makes solid security nearly foolproof. “The YubiKey Bio is a big step forward because it gives you a high level of security with better usability. My colleague can’t just grab my key and impersonate me.”