Owners of iPhones looking for an extra measure of protection when using applications and logging into websites can get it with a new dongle from Yubico, a maker of hardware authentication security keys based in Palo Alto, California.
Its new YubiKey 5Ci, which retails for US$70, supports both USB-C and Apple’s Lightning connectors on a single device. The dual connectors can give security-conscious consumers and enterprise users strong hardware-backed authentication across iOS, Android, macOS and Windows devices.
“Before this key, it was really hard for a user to try and authenticate with a security key across multiple devices,” said Yubico Chief Solutions Officer Jerrod Chong.
“This key has USB-C on one side and Lightning on the other so a user can authenticate to all the devices that they have,” he told TechNewsWorld.
That can improve security across the board, because people no longer need to use weak substitutes for the strong protection a hardware key can provide.
“People are using SMS or one-time pass codes delivered through email, which are not only bad from a security perspective but bad from a usability perspective because you’re typing in codes that you can get wrong,” Chong explained.
“We wanted to make the process simple,” he continued. “You plug in this device, touch a button, and you’re good to go.”
Password Manager Support
The YubiKey 5Ci supports a number of Apple iOS applications out of the box. They include several popular password managers — 1Password, Bitwarden, Dashlane and LastPass.
Idaptive, a single sign-on app for enterprise users, also is supported. Single sign-on apps are used for secure access to corporate clouds from mobile devices.
Some other enterprise applications include YubiKey 5Ci support in their developer kits. They include Okta, XTN and Monkton Rebar.
Authentication keys have a greater appeal to enterprises right now than they do for consumers, Chong acknowledged, but “we will see that change as we get more browser support and more consumer applications enabled for authentication keys.”
To understand why enterprises are keen on authentication keys, all you need to do is look at Google’s experience with them. Since handing out the keys to its more than 85,000 employees in early 2017, it hasn’t had a single successful phishing attack on any of its workers’ accounts.
There have been no account takeovers since Google implemented security keys, a Google spokesperson told security blogger Brian Krebs in July 2018.
No iPad Pro Support
The iOS version of the Brave browser also supports the YubiKey 5Ci. In fact, Brave is the only browser to support WebAuthn via Lightning connector. WebAuthn is an API that allows websites to offer a variety of authenticators to their visitors, including keys and biometric readers. Websites accessible through Brave include Bitbucket.org, GitHub.com, Login.gov, Twitter.com and 1Password.com.
Although the YubiKey 5Ci is compatible with iPhones and iPads with Lightning connectors, it doesn’t work with iPads that have USB-C connectors, even though the plug fits.
Apple limits accessibility through the USB-C port on its iPad Pro models, Chong explained.
“It’s not just a problem with us,” he said. “It’s a problem for anyone that wants to create an accessory with a USB-C connection to an iPad.”
That may change when the new iPadOS is released in the fall.
The YubiKey 5Ci also doesn’t work with FIDO-compliant services or apps out of the box. That’s because iOS doesn’t support FIDO. FIDO is a set of open source security specifications for strong online authentication.
“Apple may be prioritizing other security measures that may have a broader relevance for its consumers,” said Ross Rubin, principal analyst at Reticle Research, a consumer technology advisory firm in New York City.
“It’s also highly likely that if Apple were to support an authentication token for iOS devices, it would be one that they would offer,” he told TechNewsWorld.
Life Left in Lightning
Supporting the Lightning connector opens up the iOS market to Yubico, Rubin noted.
“For some time after supporting USB-C on the iPad, there was a sense that the Lightning connector was on borrowed time,” he said, “but Apple continues to roll out new products with it, and the rumors are Apple will stick with it through the next round of iPhones.”
While most authentication keys are sold in the enterprise, there are consumer niches where they are popular.
“Anyone concerned about being hacked, like journalists or celebrities, use them,” Rubin said.
“Hard-core gamers, too, concerned about other players hacking into their accounts, use this kind of security token to provide an extra level of protection against that kind of attack,” he noted.
“More and more organizations are recommending two-factor authentication, and this can be a way to achieve it relatively seamlessly and with more security than text messages,” observed Rubin.
A problem with hardware solutions like the YubiKey 5Ci is they can be inconvenient. They’re something else to keep tabs on when trying to navigate the Net or, worse, something that can be lost, creating a whole new crop of headaches.
“The tradeoff between security and convenience is a classic conflict. The trick is to find that balance between maximizing security while minimizing inconvenience,” Rubin said.”Something like this certainly could be more convenient than memorizing hard-to-guess passwords used for different services.”
Room for Everyone
Although authentication keys have been linked to the end of passwords, password managers — software used to store logins, create hard-to-guess passwords and automatically access websites — ironically could boost acceptance of something like the YubiKey 5Ci.
“Password managers have a low barrier to entry. In some cases, you can try them for free,” Rubin pointed out.
“Then, once you realize the benefits of better security, you might want to go to the next step and buy one of these devices,” he said.
“Passwords are here to stay, and so are password managers, but passwords aren’t the only game in town and haven’t been for a while,” noted Simon Davis, marketing vice president at Fairfax, Virginia-based Siber Systems, maker of the RoboForm password manager.
“When logging in to sites and apps, people are looking for security and ease of use,” he told TechNewsWorld. “Any product that helps them achieve both will always be sought after.”