News
Yubico Launches New Developer Program and Security Key for FIDO2 and WebAuthn W3C Specifications
April 2018 by Marc Jacob
Yubico launched the Security Key by Yubico, the company’s first hardware authentication device that fully supports the new FIDO2 and WebAuthn API authentication standards from the FIDO Alliance and World Wide Web Consortium (W3C).
The company is also introducing the Yubico Developer Program, a resource for organizations exploring adoption and implementation of strong authentication for web and mobile applications, using Yubico supported protocols including FIDO U2F, OTP, PIV (Smart Card), OpenPGP, OATH (HOTP/TOTP) and the new FIDO2 Client to Authenticator Protocol (CTAP) specification.
Yubico will demonstrate the Security Key by Yubico and new functionality next week at the RSA Conference 2018, booth #S2241.
As a core inventor and driver of innovative, open authentication standards, first with FIDO Universal 2nd Factor (U2F) and now FIDO2, Yubico is introducing its first FIDO2-enabled authentication security key. The Security Key by Yubico delivers FIDO2 and FIDO U2F in a single device, supporting existing U2F two-factor authentication (2FA) as well as future FIDO2 passwordless implementations.
What is FIDO2 and how does it differ from FIDO U2F and FIDO UAF?
U2F is an open authentication standard that enables hardware authenticators, coupled with a username and password, to securely access any number of web-based services — instantly and with no drivers or client software needed.
The FIDO2 Project consists of an API (Application Programming Interface) and a Protocol. The Security Key by Yubico supports both the WebAuthn API and FIDO’s CTAP. FIDO2 provides strong authentication as a single factor, eliminating the need for passwords. It should be noted that if necessary, FIDO2 conveniently pairs with PINs, biometrics, or gestures as additional on-device authentication factors.
FIDO UAF (Universal Authentication Framework) is a separate technical working group and standards initiative within the FIDO Alliance, focused on biometrics and mobile devices that requires client software.
Web Authentication
The WebAuthn API was developed by FIDO Alliance members, including Yubico, Microsoft, Google, PayPal, Mozilla and Nok Nok Labs, and standardized by the World Wide Web Consortium (W3C). Once a specification is endorsed by the W3C, it becomes globally available, creating a ubiquitous web platform for FIDO2 support. WebAuthn allows for a Security Key to create a public key-based credential for authentication and use that credential to securely log in with a web-based interaction similar to U2F.
Client to Authenticator Protocol (CTAP)
CTAP is an application layer protocol and is used to communicate between a client (desktop) or a platform (operating system) and an external authenticator (i.e. Security Key by Yubico). The CTAP model allows one device, such as a Security Key by Yubico, to act as an authenticator to log in to a second device.
Yubico Developer Program
The Yubico Developer Program is designed to enable integration of strong authentication to support Yubico hardware within web and mobile applications. Those who sign up will have access to developer resources including workshops, webinars, implementation guides, reference code, and SDKs. Those interested in FIDO2 can sign up to receive early access to Yubico resources to aid in implementations of the FIDO2 open authentication standard. Organizations can sign up here to begin receiving updates on the Yubico Developer Program and early FIDO2 materials from Yubico.
The Security Key by Yubico is available for $20 at the Yubico online store.
