1. Using the YubiKey to log into a Web Application
There is one application you can start experience the use of a YubiKey as a tool to authenticate yourself on the Web right away: The Yubico forum. There you need a YubiKey to log in as a user for posting. When you register you have a choice to also define a pin code to be used when logging in. I did choose to define a pin code so I would be in the typical two factor authentication situation where such devices as the YubiKey are used. Glad I did, because that gave me an interesting observation:
When I log into the forum I am presented with a form not much unlike the form to log into my online bank: One field to type something I know (here that is the pin, for the bank it is a password) and one field to type in a one time password (OTP) proving I possess something (here that is the YubiKey, for the bank it is a dongle giving me an OTP to read of a small LCD display when pushing a button after inserting my smart bank card into it (phu...)).
Now, here is the difference: In the bank log in situation it does not matter in what order I do enter information as long as I have provided both password and OTP when I push the form's OK button. But in the forum log in scenario I must enter the OTP last because the device will do an 'enter button push' after the OTP has been feed into the field. And an enter button push normally means 'I am done, send the request to the server'. Of course it does not have to mean that, but it normally does, and it does so in the forum's log in form. So if I happen to do the OTP first with my YubiKey before entering my pin I will send a request missing my pin information and be rewarded with a pin missing error message.
Now, my point is that this way of operating is a feature of the YubiKey, and a very cool feature I think. But a feature user friendly interface designers need to relate to and take advantage of. At the very least you should have text informing end user that the OTP is to be provided last in the form, but better probably having the user interface work like that the OTP is entered last. That could be by activating the OTP field when ready or working in some kind of wizard fashion.
2. Giving the key to a coworker
I walked over to my unsuspecting colleague, gave him the YubiKey saying it was some cool Swedish technology that goes into his USB port, watched him mount it and had us focus on the tray area because the first thing I was going to point out was the message that pops up showing it being seen as an USB keyboard. Nothing happened. He had put it in with the wrong side up! You can do that with this USB gadget! The lighting condition happen to be a bit challenging at his station: bright sunshine through windows and the side of his laptop with USB ports in the shades so the ring on the up side where hard to see. Not a big problem because users will learn after use that the golden contact strip are also signs of the up side. Still, I think future key design may consider making the up side more explicit.
But when we got the thing put in correctly he jumped straight to the nearest field (his browser's address field) to generate an OTP, I quickly explained to not push, just rest the finger on the circle of cool green light and he had no problem confusing firefox.
3. Capturing the OTP in a Java desktop application
The company I work for, we develop desktop clients using the java Swing API. So one thing I was interested in right away was how easy it would be to get the OTP in a Java/Swing program. So I simply made a dialog having a text field (the JTextField class to be accurate) and wrote some callback code similar to:
otpField.addActionListener
(
new ActionListener()
{
public void actionPerformed(ActionEvent e)
{
System.out.println(otpField.getText());
// In a real app. here would be code to do
// authentication sending the OTP to a server.
}
}
}
When does this callback method get called? Well, the actionPerformed method is one you can register to wide range of widgets. If registered to a button it is invoked when user push the button. On a JTextField it is invoked when the user hit the enter key when the field has focus...
Thats right, the YubiKey invokes my actionPerformed callback method when the OTP has been populated in the field! It could not possible be any easier to integrate in our solutions! The automatic enter feature is one that beside it 'being a USB keyboard' does this easy.
I think it is likely hat similar ease of integration will be found using other well designed GUI toolkits also.
Wrap Up
I liked the concept of the YubiKey once I learned about it on the web but now that I have experienced it first hand I do like it even more!
Developer of services and applications that are going to utilize the device will need to take into account the nature of the gadget I think. But then it seems to offer the possibility of a more user friendly authentication process than many of todays two factor authentication solutions.
I also like the goal of Yubico of wanting to be the IKEA of authentication solutions, from the Yubico welcome page:
"Yubico's mission is to make Internet identification secure, easy and affordable for everyone. Inspired by IKEA and Amazon.com we deliver flat packages of do-it-yourself tools: We sell the YubiKey hardware online and provide you the basic SDK for free, no license cost included. And you can take the basic SDK to build your own full-fledged, customized strong authentication service."
Coming from small company developing niche solution in need of security I like that and hope they manages to stay true to that vision.
My resource post on the YubiKey
1 kommentarer:
Thanks for your review. I'm considering buying a YubiKey soon, it seems like a cool product.
Legg inn en kommentar