FIDO2 is a specification by the FIDO Alliance - the name meaning "Fast IDentity Online" - which is an open industry association with the mission of developing and promoting passwordless authentication standards.
These standards aren't simply because the organisation doesn't like passwords; it's because passwords are inherently fraught with security failures. People forget them, people write them down, people re-use them for multiple services, and people even inadvertently divulge them during phishing attacks.
Enter multi-factor authentication - adding a third piece of information, such as a one-time code sent by text message - so even if the “bad guys” get your username and password they won’t know the third item.
Yet, using a mobile phone number for multi-factor authentication is similarly risky. In fact, we all hand out our mobile phone number freely. There’s little effort in the proverbial “bad guys”, again, using techniques like social engineering and SIM swapping to get hold of your mobile service and gain access to your services.
This takes us to hardware-based authentication and the Yubico security keys. This is the solution recommended by cybersecurity experts worldwide to give yourself the greatest security over your identity. This advice also comes from Google, which advocates the use of a hardware key like YubiKey for such people as journalists and whistleblowers in despotic regimes, and for whom protecting their identity is a matter of life-and-death, not only the safety of their finances.
Yubico has been at the forefront of hardware security keys and its new product takes it to the next level. It is the first multi-protocol security key to receive FIPS 140-2 validation, the Federal Information Processing Standards from the National Institute of Standards and Technology (NIST).
Yubico has added its existing YubiKey 5 NFC, YubiKey 5C NFC, and YubiKey 5Ci into the FIPS series line-up. These devices offer desktop and mobile functionality and allow individuals, enterprises, government agencies, and anyone else to achieve phishing-resistant passwordless authentication for all their users.
“We are delighted to see Yubico’s continued commitment to the federal market with the introduction of the YubiKey 5 FIPS Series,” said a representative for Treasury Enterprise Identity, Credential, and Access Management (TEICAM), U.S. Treasury Department.
“We certainly understand how difficult it is to go through these certification processes, but the Yubico team has shown an unwavering understanding for our evolving needs, particularly during this pandemic. Yubico is a partner that consistently goes above and beyond to support their clients, so we’re thrilled to celebrate this great progress today!”
“Our customers are struggling with the stressful and complex task of finding ways to bridge the gap between legacy and modern infrastructures while maintaining compliance,” said Suresh Thiru, chief product officer, Yubico.
“The YubiKey 5 FIPS Series puts many of these common concerns to rest. Unlike mobile-based authenticators, these keys defend against phishing and man-in-the-middle attacks with proven success rates, while being flexible enough to support an organisation’s entire authentication lifecycle.”
The YubiKey 5 FIPS series supports FIDO2, WebAuthn, PIV, FIDO U2F, Yubico OTP, and OATH HOTP. The devices support USB-A, USB-C, NFC, and Lightning form factors. The YubiKey 5 FIPS series is able to meet the requirements for Authenticator Assurance Level 3 (AAL3) as defined in NIST SP800-63B.
The devices are available on the Yubico store and through resellers and partners.
Here is a recent Yubico video on the importance of YubiKeys to protect free speech, featuring Melanio Escobar, journalist and executive director for Redes Ayuda, a Venezuelan-based non-Government organisation that helps defend freedom of speech and human rights, and supports journalists with digital security training. Your own personal needs may not be so dire, but why trust your online identity and finances to anything less?