What One-Time Passwords Could Do For Mobile

Smartphones will soon be wallets. They're already corporate data repositories. And finally, Yubico lets us stop using static passwords to lock it all down.
The user name/password combo is like the QWERTY keyboard--a suboptimal historical anachronism that by sheer force of inertia has persisted far past its time. It's not that more secure alternatives haven't come along. I designed a smart card-based one-time password system as part of Hewlett-Packard's first dial-in remote network access system more than 15 years ago. But OTP schemes haven't caught on for general use. They seldom have clean, intuitive interfaces. They tend to unduly disrupt people's daily routines. And as we use more Web apps, each with its own account database, hardware-based OTP implementations represent an administrative nightmare.

Ironically, SecurID, one of the most popular OTP systems and the one I used many years ago in my HP days, was hacked, and that cast a dark cloud over the credibility of the entire technology. This only complicates the lives of security professionals trying to convince skeptical CIOs to fund OTP projects. The selling job gets even harder when you realize that mobile devices, an afterthought for most OTP systems, are an increasingly significant part of the average worker's day.

Enter Yubico, a little Scandinavian company that might just have a better mousetrap. Five years ago, Jakob and Stina Ehrensvard set out to make strong authentication easy and affordable. The first fruit of that mission, the deceptively simple but surprisingly sophisticated YubiKey USB dongle, has already garnered more than 1 million users and 18,000 enterprise customers, including some A-list defense contractors, government agencies, and Fortune 500 companies.

The YubiKey is an OTP appliance for those who hate complexity. Unlike prior OTP implementations, the YubiKey doesn't require any special drivers or local client software because it acts as a fancy keyboard, appearing to any system as a USB human interface device. That means it works just as well on Linux and OS X as Windows. Once connected, the YubiKey has one function: converting a cryptographically strong (a hash of an AES key), unique, one-time password into a long series of keyboard-compatible ASCII characters every time you touch its one and only button. Each randomly generated sequence (see details [PDF]) incorporates a static, 48-bit public identity and a 128-bit OTP string. The YubiKey's simplicity is exemplified in a tiny, utilitarian, low-cost design that translates to a price of only $25 for single units; that drops to $15 in volume. Better still, the software for integrating the YubiKey into applications is open source, with an active community of developers having already published utilities allowing the YubiKey to authenticate to Windows AD, Google Apps, SAML, OAuth and several password managers, including LastPass.

While promising, the YubiKey is far from a perfect password replacement. First, like prior OTP efforts, it requires server- and application-side support. Obviously cognizant of this roadblock, Yubico has released its own cloud authentication service for end users and fostered support for other authentication services, like LastPass and OneLogin, along with federated login systems like OAuth and SAML. Yet there's a more fundamental obstacle in this post-PC era: USB ports are about as common as floppy disks, and unlikely to ever appear on Apple's category-defining iPhone and iPad. If only there were a secure (make that very secure), local (make that very local) wireless technology.

Well, there is, and it turns out that near field communication may end up being more than just a replacement for magnetic stripe readers. Yubico sees NFC as an ideal interface for OTP tokens, and its new YubiKey NEO uses the same cryptographic engine but adds an NFC radio to the original product's USB port. Like the original, the NEO's software is customizable; however, instead of sending a key sequence out the USB port, Stina Ehrensvard says the typical response to a button-press on a smartphone will be to launch the browser and display a programmable URL that includes the OTP. No custom app necessary. The NEO also supports the same suite of services and standards, including LastPass, Google Apps, SAML, and OAuth. Although NFC is designed as a secure wireless protocol that works over at most a few inches, Ehrensvard says Yubico's implementation opted to eliminate any possibility of wireless intercept by requiring that the NEO be in physical contact with the mobile device.

While the NEO could end up being the ultimate mobile security token, it faces some hurdles. First, NFC is far from ubiquitous, with most estimates putting the technology's penetration at 20% to 50% of smartphones in the next two to three years. Second, the most popular smartphones and tablets on the planet don't support NFC, and it's still unclear when Apple will introduce the technology. Although reports continue to swirl that the next iPhone will sport NFC, possibly even using it as an authentication system, NFC landing in the impending iPad 3 is more of a long shot.

Finally, as a nascent technology, there are bound to be device compatibility kinks to iron out before NFC approaches USB-level simplicity. Look at how long Bluetooth has been around and the headaches it still creates when trying to pair a new headset or keyboard. When pressed about these roadblocks, Ehrensvärd admits that NFC might not be the only mobile OTP interface. Although not ready to announce details, she says Yubico sees a way of using another port that's guaranteed to be on every phone, tablet, and (hint) even music player, to transmit OTP codes.

Yet bringing OTP to mobile devices is more than just a hardware problem. Application support and user acceptance are also roadblocks. Although Yubico's open source software model, active developer community, and demonstrated support by thousands of enterprise customers offers hope that the software issues aren't insurmountable, user behavior is a tougher nut to crack. When many people still don't protect their phones with a screen-lock PIN, it's hard to be too optimistic about their willingness to drag out a keychain every time they want to log in to a website or app. However, perhaps the burden of remembering a growing list of account names and passwords will create a tipping point where the inconvenience of a hardware token is less than that of a hacked account.