A YubiKey for iOS Will Soon Free Your iPhone From Passwords

Credit to Author: Brian Barrett| Date: Tue, 08 Jan 2019 17:00:00 +0000

Over the last several years, Yubico has become close to ubiquitous in the field of hardware authentication. Its YubiKey token can act as a second layer of security for your online accounts, and even let you skip out on using passwords altogether. The only problem? It’s been largely unusable on the iPhone. That’s going to change soon.

The upshot: Yubico has received MFi certification, meaning Apple will officially support it as a hardware partner. To that end, the company will finally be able to make a YubiKey that fits into the iPhone and iPad’s proprietary Lightning port, giving those devices the seamless security that already works so well on PCs. On the opposite side, it will offer a USB-C connector for MacBooks. (By way of disclosure, WIRED gives new subscribers a YubiKey 4 when they sign up.)

The news comes with some caveats. Yubico won’t have an actual product until later this year, and needs developer buy-in for its Lightning token to reach its full potential. “It’s iPhone, it’s restrictive,” says Jerrod Chong, senior vice president of product at Yubico. “We’re not exactly there with default settings on an iPhone yet, so there’s some work that developers need to do to enable their apps to work with the Lightning key.”

One key limitation: Apple does not yet natively support FIDO2, an open source standard that lets you access your online accounts simply by plugging in a hardware token, rather than using a password. So if you want to use a Lightning-compatible YubiKey with Gmail, say, Google would have to provide support.

Yubico hasn’t announced any partners so far, but it at least has a head start. In August it expanded its iOS software development kit to include Lightning; the SDK had originally launched last March to help jury-rig support for near-field communication (or NFC) connections. But even with buy-in from developers like LastPass, NFC turns out to be an especially unhelpful way to manage authentication on an iPhone.

Over NFC, for instance, a YubiKey can only use what’s known as one-time password authentication, which is a one-way protocol. You can achieve two-way communication by using Bluetooth instead, but you’re also just as likely to accidentally pair with your soundbar rather than your smartphone.

“At a high level, today there are three ways you can communicate with the iPhone,” says Chong. "You can communicate over NFC, but it’s very limited in terms of what you can do. You can communicate over Bluetooth; the challenge there is that it’s not super reliable. And then the third way is a hard connection.”

Which brings us back to the Lightning YubiKey, which may be even more useful by the time it launches. While Apple doesn’t support FIDO2 now, the latest technical preview for Safari suggests it could be on its way. If iOS embraces the passwordless login standard, it will not only proliferate across the platform, it will have achieved ubiquity across every major operating system.

A green light for an iOS YubiKey may be relatively minor news, but it signifies a promising future, one in which the only password you have to remember for any of your devices lives not in your memory, but on your key ring.

https://www.wired.com/category/security/feed/