Yubico, the Swedish-American company that helped popularize key-shaped physical authentication tokens, has released a new line of products geared toward passwordless logins that give users secure access to software and online services without typing anything.
The company’s fifth generation of YubiKeys work with the new FIDO2 protocol in addition to other authentication methods. The result is that they “can be used alone for strong single-factor authentication, requiring no username or password to login — just tap or touch to authenticate,” Yubico said Monday.
Use of FIDO2 is supported by major browsers such as Google Chrome, Mozilla Firefox and Microsoft Edge. YubiKey integration is also available with popular platforms like Google, Facebook and Twitter.
FIDO was developed by an alliance of technology companies to allow users to simply plug in or tap an authenticator key instead of using a static password. Companies are now slowly adopting the standard into their products.
The combination of methods in the fifth-generation products makes them the first “multi-protocol” keys to support FIDO2, Yubico said.
The new product line consists of four keys ranging in price from $45 to $60. There are two standard-sized and two nano-sized keys, each with a USB-A and USB-C version.
The YubiKey 5 NFC, the cheapest of the new line, also allows for near-field communication with all of these protocols, allowing users to simply tap their mobile devices to authenticate. Yubico in May announced iOS compatibility, opening the gate for developers to integrate YubiKey NFC authentication into their apps.
Yubico says it envisions a more secure, passwordless future and that its new product line is a step toward that. The company has been highly influential — a test run of YubiKeys by Google led it to build its own brand of authentication tokens.
YubiKeys can be used for single- , two- and multi-factor authentication for devices and accounts. In such cases, two-factor authentication involves using a YubiKey along with a username and password, while multi-factor authentication adds a required PIN into the process.
“Innovation is core to all we do, from the launch of the original YubiKey ten years ago, to the concept of one authentication device across multiple services, and today as we are accelerating into the passwordless era,” said Yubico founder and CEO Stina Ehrensvard in a press release.
Authentication tokens are considered to be a simple and effective deterrent for phishing and other methods of compromising accounts. A cracked or phished password is essentially useless to an attacker if the account holder also physically has to tap a key to log in. Code sent via SMS are more popular, but less secure.
Authenticator apps like Google Authenticator can be effective, but with less certainty about ownership.