A look at the recently released YubiKey 5 hardware authenticator series and how web authentication with the new WebAuthn API leverages devices like the YubiKey for painless website registration and strong user authentication.
I covered the YubiKey 4 in the May 2016 issue of Linux Journal, and the magazine has published a number of other articles on both YubiKeys and other forms of multi-factor authentication since then. Yubico recently has introduced the YubiKey 5 line of products. In addition to the YubiKey's long-time support of multiple security protocols, the most interesting feature is the product's new support for FIDO2 and WebAuthn.
WebAuthn is an application programming interface (API) for web authentication. It uses cryptographic "authenticators", such as a YubiKey 5 hardware token to authenticate users, in addition to (or even instead of) a typical user name/password combination. WebAuthn is currently a World Wide Web Consortium (W3C) candidate recommendation, and it's already implemented by major browsers like Chrome and Firefox.
This article provides an overview of the YubiKey 5 series, and then goes into detail about how the WebAuthn API works. I also look at how hardware tokens, such as the YubiKey 5 series, hide the complexity of WebAuthn from users. My goal is to demonstrate how easy it is to use a YubiKey to register and authenticate with a website without having to worry about the underlying WebAuthn API.
About the YubiKey 5 Series
The YubiKey 5 series supports a broad range of two-factor and multi-factor authentication protocols, including:
- Challenge-response (HMAC-SHA1 and Yubico OTP).
- Client to Authenticator Protocol (CTAP).
- FIDO Universal 2nd-Factor authentication (U2F).
- Open Authorization, HMAC-Based One-Time Password (OATH-HOTP).
- Open Authorization, Time-Based One-Time Password (OATH-TOTP).
- Personal Identity Verification (PIV).
- Web Authentication (WebAuthn).
- Yubico One-Time Password (OTP).
In addition, the entire YubiKey 5 series (with the exception of the
U2F/FIDO2-only Security Key model) now supports OpenPGP public key
cryptography with RSA key sizes up to 4096 bits. This is a notable bump
from the key sizes supported by some earlier models. Yubico's OpenPGP
support also includes an additional slot for an OpenPGP authentication
key for use within an SSH-compatible agent, such as GnuPG's
Figure 1. YubiKey 5 Series