Secure and Affordable 2-factor authentication: Yubikey

In the DoD there is a strong requirement for 2-factor authentication in the network.  For systems and workstations they use a successful implementation with Public Key Infrastructure (PKI) and a DoD common access card (CAC) which has a client certificate.  The user has a PIN; therefore, 2-factor.   Nothing like this exists for network devices (routers, switches, etc).  It requires simple network devices to be able to authenticate client certificates using a DoD CA and OCSP responders.

Even if this were implemented by Cisco, Juniper, HP, Brocade, etc there’s still the issue of client-side software.  PuTTy has an experimental version called PuTTy-CAC, but it’s hard to test when nothing supports it on the server-side.  So this leaves network administrators to either have a vulnerable authentication system using standard RADIUS/TACACS+ and passwords, or they spend hundreds of thousands on implementations like EMC’s RSA SecurID.  However I’m not sure if that makes your network more or less secure considering how easy it was for the Chinese to get the RSA seed files – see my earlier post from a few years ago.  Enter Yubikey.

Secure AND affordable 2-factor Authentication

Yubico, a new technology start-up, trying to address the affordable and secure part, but also what to do with mobile devices.  Yubikey is their flagship 2-factor authentication device that works like a standard USB keyboard.  It costs about $30 (less if purchased in volume) and their more expensive key is the Yubikey NEO.  It is basically a Near-Field Communication (NFC) key – for mobile devices – that costs about $50.

The use for standard Yubikeys is to basically plug the key into the USB port (platform independent) and press the button.  The button generates an AES-128 encrypted one-time password (OTP).  Yubico’s technical documentation explains the authentication and verification process like this:

1. The received string is converted back to a byte string
2. The byte string is decrypted using the same (symmetric) 128-bit AES key
3. The string’s checksum is verified. If not valid, the OTP is rejected
4. Additional fields are verified. If not valid, the OTP is rejected
5. The non-volatile counter is compared with the previously received value. If lower than or equal to the stored value, the received OTP is rejected as a replay.
6. If greater than the stored value, the received value is stored and the OTP is accepted as valid

The process seems great for web applications like WordPress authentication or GMAIL, but what about the first point, 2-factor authentication for network devices?  Enter YubiRADIUS.  YubiRADIUS is a fully-configurable platform that integrates with a Windows domain and all those Yubikeys.  Oh, and YubiRADIUS runs on a hardened virtual Linux appliance – and is free.  So, in order to get full and secure 2-factor authentication in an enterprise – buy the $30 tokens and setup the free YubiRADIUS.  Also, did I mention it’s fully IPv6 enabled?

Currently, we have Yubikey and YubiRADIUS running in our DoD Unified Capabilities Approved Products List (UC APL) test lab and will be taking it into DoD UC APL testing as a viable network device 2-factor authentication solution soon.  Here’s some of what Yubikey and YubiRADIUS give you above solutions from SecurID:

• validation server is part of YubiRADIUS and is free (as in free beer)
• Yubikeys can be used for an enterprise and for personal GMAIL, wordpress, etc.  It’s not a single use token, very flexible.
• Platform independent.  So is SecurID, but with SecrID, you have to type the OTP in manually instead with Yubikey you just hit the button.
• YubiRADIUS will soon be available in a fully DoD STIGed and hardened platform.  We are currently working on that.
• Pricing is easy.  Just buy the token once.  It lasts forever, with the configuration there’s no need for it to expire.  SecurID costs ~$265 for a pack of 5 that expire in 2 years.  Buy over 255 and you pay $55 per token that expire in 2 years.  Buy 50 Yubikeys and it’s only $15 per that never expire.  Did I mention the infrastructure (YubiRADIUS & Validation Server) are free?

Yubikey Awesome Add-Ons

If the above were not enough of a selling point, check out the list of extensible options you get with Yuibikey:

• GMAIL login for hosted GoogleApps accounts. Uses SAML.
• WordPress plugin (we use it for this blog)
• 2-factor Windows and Linux user logins.  Just in case you aren’t DoD using PKI and CAC.
• Enterprise remote access/VPN
• OpenID login integration
• Other CMS website tool authentication (Joomla, Drupal, MediaWiki)
• Disk encryption
• Use Yubikey 2-factor authentication with PayPal.
• Near Field Communication (NFC) Yubikeys provides the same ease and security with select Android phones.
• Software Yubikey app for Android that are free

All in all, Yubikey gives a commercial enterprise, DoD enterprise, small business, and individual the power and affordability to finally ditch the single password and use 2-factor authentication.