Can someone help me understand how this is different from the existing YubiKey products, which I've used?
* Passwordless single factor with AD integration (couldn't this already be done by storing your password on the key?)
* 2factor auth with the token as one of the factors.
From the article:
-----------
Single Factor: This only requires possession of the Security Key to log in, allowing for a passwordless tap-and-go experience.
Second-Factor: In a two-factor authentication scenario, such as the current Google and Facebook FIDO U2F implementations, the Security Key by Yubico is used as a strong second factor along with a username and password.
Multi-Factor: This allows the use of the Security Key by Yubico with an additional factor such as a PIN (instead of a password), to meet the high-assurance requirements of operations like financial transactions, or submitting a prescription.
"Passwordless" single factor done by storing your password on the key isn't passwordless. You have a password. U2F replaces the password with a "bearer" authentication token - it's two-factor auth without the password, instead of a password-manager based approach.
The actual announcement in this blog post is Azure AD and Windows 10 integration, not anything new by Yubico.
In single factor mode (passwordless), your token is your password. So if you lose it, someone could access your accounts if they know your username.
The USB tokens don’t store a password, they store a master key pair, and then derives a site-specific key pair based on the URL you are connecting to. The site issues a challenge and the token signs it. This prevents replay attacks, and there is no way to export the secrets from the token. There is also no way to authenticate to a site by just having the key plugged in - you have to press the button on it. There is no way through software, even low level usb-hid commands, to trigger the button press.
Overall it’s really well designed and more secure than passwords, even in single factor mode.
The major downsides are that it requires browser support, and doesn’t work with iOS.
This is what I want for family members: the end to passwords and the end to using Facebook (or even Google for that matter) to authenticate logins. I continue to lament the end of Mozilla Persona.
I know biometric identification isn't afforded the same protection by law on the basis that biometrics are public (e.g. fingerprints are left everywhere), but what about physical keys? FIDO2 is entirely analogous to a physical key, and it's not exactly public the way biomtrics are.
I'd still prefer a password for that added 5th amendment layer of protection, but I'm looking for what legal minds think about this right now.
* Passwordless single factor with AD integration (couldn't this already be done by storing your password on the key?)
* 2factor auth with the token as one of the factors.
From the article:
-----------
Single Factor: This only requires possession of the Security Key to log in, allowing for a passwordless tap-and-go experience.
Second-Factor: In a two-factor authentication scenario, such as the current Google and Facebook FIDO U2F implementations, the Security Key by Yubico is used as a strong second factor along with a username and password.
Multi-Factor: This allows the use of the Security Key by Yubico with an additional factor such as a PIN (instead of a password), to meet the high-assurance requirements of operations like financial transactions, or submitting a prescription.