Yubico Forum
https://forum.yubico.com/

Yubikey and smart phones
https://forum.yubico.com/viewtopic.php?f=4&t=683
Page 1 of 1

Author:  merriam [ Tue May 31, 2011 7:55 pm ]
Post subject:  Yubikey and smart phones

Given how much sensitive data everybody puts on their phone these days it seems like we are going to need to use secure encryption on our phones. That means we need to key in a long password or encryption key every time we use our phone. The yubikey static password sounds ideal for this. Of course, it won't plug into my phone.

The yubico engineers must know more about USB than I will ever know but here is my understanding. Phones provide micro USB On The Go, USB-OTG, which can operate as either host (A) or peripheral (B). Phones usually present to your PC as a mass storage device, type B. Yubikey presents as a peripheral (B), specifically a keyboard. If yubikey was available with a USB-OTG type B connector it could present to the phone as a keyboard.

I don't know about the smart phone OS support for keyboards. It would make a lot of sense to actually plug in a keyboard if you have a lot of typing to do. Google says Android 3.1 will support USB Host mode.

It seems to me it would make sense for the yubico engineers to work on a micro USB B version of the yubikey and work with smart phone OS providers to provide support for it. OTP could then be used to authenticate to web sites and static password could be used for encryption passwords.

All that presupposes that whoever steals your phone doesn't manage to steal your yubikey also.

Author:  tester [ Thu Oct 06, 2011 4:16 pm ]
Post subject:  Re: Yubikey and smart phones

merriam wrote:
Given how much sensitive data everybody puts on their phone these days it seems like we are going to need to use secure encryption on our phones. That means we need to key in a long password or encryption key every time we use our phone. The yubikey static password sounds ideal for this. Of course, it won't plug into my phone.

The yubico engineers must know more about USB than I will ever know but here is my understanding. Phones provide micro USB On The Go, USB-OTG, which can operate as either host (A) or peripheral (B). Phones usually present to your PC as a mass storage device, type B. Yubikey presents as a peripheral (B), specifically a keyboard. If yubikey was available with a USB-OTG type B connector it could present to the phone as a keyboard.

I don't know about the smart phone OS support for keyboards. It would make a lot of sense to actually plug in a keyboard if you have a lot of typing to do. Google says Android 3.1 will support USB Host mode.

It seems to me it would make sense for the yubico engineers to work on a micro USB B version of the yubikey and work with smart phone OS providers to provide support for it. OTP could then be used to authenticate to web sites and static password could be used for encryption passwords.

All that presupposes that whoever steals your phone doesn't manage to steal your yubikey also.



Because our sites are now accessible from smartphones we switched from Yubikeys to Swekeys.
There is no need to plug the Swekey in the smartphone to make it works, you just have to do a kind of pairing between the smartphone and the the swekey using a web interface then it magically works... Amazing!

Author:  Fredrik-at-Yubico [ Mon Oct 17, 2011 2:19 pm ]
Post subject:  Re: Yubikey and smart phones

Dear tester

Yubico supports free speech, even when it is saying something positive about our competitors.

We do not know what your association with Swekey is, so we won't call it advertising, but we do see your multiple posts as a campaign for Swekey.

http://forum.yubico.com/viewtopic.php?f=2&t=541&p=2816#p2816
http://forum.yubico.com/viewtopic.php?f=6&t=683&p=2815#p2815
http://forum.yubico.com/viewtopic.php?f=2&t=490&p=2814#p2814
http://forum.yubico.com/viewtopic.php?f=16&t=488&p=2813#p2813

We think it inappropriate to make such posts in our forum; however, we will let our customers decide as we believe in our products and the excellent value our customers benefit from.

The Yubico team

Author:  ferrix [ Mon Oct 17, 2011 7:15 pm ]
Post subject:  Re: Yubikey and smart phones

I just want to say, I have so much respect for this response from Yubico, and it reaffirms my preference for supporting their products as much as possible (I work for an ISV partner)

Author:  medfordite [ Fri Dec 23, 2011 11:24 pm ]
Post subject:  Re: Yubikey and smart phones

I would think that as long as your smart phone accepted a USB keyboard input, the Yuibkey would work pretty well as long as you had the converter to convert down to the Micro USB standard. My phone doesn't do this so I can't test it, but it makes some sense. :)

Author:  cjoshdoll [ Sun Jan 08, 2012 6:00 am ]
Post subject:  Re: Yubikey and smart phones

I'm new to the yubi platform, however not so new to this realm - heres my take...

First, IMO its pretty impractical to think of using a token such as the yubikey (or any other bramd for that matter) with a smartphone, so long as its a plugin style.... I can't imagine having a key sticking out of my phone, and if it were to be something similar to micro sim/sd, it would be too small to switch between a phone and computer, unless it had a larger second paired key for this purpose, OR the phone once the key was inserted could then be used AS your key via bluetooth or similar. Practicality is a HUGE issue in this arena.... I use IronKey's for secure USB storage, which I love, however their lack of OS X development has nearly forced me away from them...simple issues like this kill security solutions.

The current alternatives such as google authenticator, seem to be a much better (current solution), IMO.

Another issue becomes OS integration with mobile devices....not many smartphones currently support HID devices out of the box, and most that do are via bluetooth, or proprietary plug. Smartphones are SUCH a sticky area when it comes to integration due to the MASS variety of hardware and OS software. Even Android devices OS's can vary significantly from device to device, as manufacturers tailor the OS to each device. More often than not, trying to keep up with mobile platforms just becomes cost prohibitive. Even if you target the big 4 (iOS, WinMobile, Android, BlackBerry) it can get out of hand quickly, and mobile OS makers are much tighter on their code, available API's, etc, partially because they have to try and protect the device from being unlocked, or violating other agreements with carriers. Carriers put a TON of restrictions on the OS vendors.

If you look at the low adoption rate of hardware keys of any kind, targeting mobile platforms can seem worthless to vendors....

I would LOVE to see a solution, I've been fighting basic credential management for mobiles for years, adding an advanced solution would be great! Heck, you can't even find a (user friendly) credential management system that traverses desktop OS's and mobiles right now...KeePass and LastPass have options, but certainly not friendly ones.

Personally, I'd like to see something along the lines of adding your smartphone to your Yubi as a solution...something like registering your device with a web interface, with an initial setup process that requires your Yubi from a desktop, and a verification between the phone and servers to allow your phone to act as an OTP key. There are issues to resolve with such a solution, but I think they are easier solved than the hardware solution...

As it stands as of TODAY, if you really need second factor authentication FROM your phone, something like an RSA digital display key is your best bet. If you need a second factor solution USING your phone as the key, something like Google Authenticator is your best bet...

Just my $.02...

Author:  Jakob [ Mon Mar 05, 2012 8:50 am ]
Post subject:  Re: Yubikey and smart phones

Smartphone apps certainly are both useful and cost efficient in some settings. However, it seems like many people have forgotten why software-only solutions have been largely abandoned in the PC/Mac world and why a downloaded executable from FileHippo or so does not make sense as an authenticator there anymore.

Take a look at our new Yubikey NEO launched last week. It provides a pretty slick UX and provides a neat way to use a token both on a desktop/laptop and a mobile phone. It of course requires the phone to have NFC

http://forum.yubico.com/viewtopic.php?f=4&t=765

Best regards,

JakobE
Hardware- and firmware guy @ Yubico

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/