https://www.linuxjournal.com/ en https://www.linuxjournal.com/content/webauthn-web-authentication-yubikey-5 <div data-history-node-id="1340427" class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="field field--name-node-author field--type-ds field--label-hidden field--item">by <a title="View user profile." href="https://www.linuxjournal.com/users/todd-jacobs" lang="" about="https://www.linuxjournal.com/users/todd-jacobs" typeof="schema:Person" property="schema:name" datatype="" xml:lang="">Todd A. Jacobs</a></div> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p><em>A look at the recently released YubiKey 5 hardware authenticator series and how web authentication with the new WebAuthn API leverages devices like the YubiKey for painless website registration and strong user authentication.</em></p> <p> I covered the YubiKey 4 in the May 2016 issue of <em>Linux Journal</em>, and the magazine has published a number of other articles on both YubiKeys and other forms of multi-factor authentication since then. Yubico recently has introduced the YubiKey 5 line of products. In addition to the YubiKey's long-time support of multiple security protocols, the most interesting feature is the product's new support for FIDO2 and WebAuthn. </p> <p> WebAuthn is an application programming interface (API) for web authentication. It uses cryptographic "authenticators", such as a YubiKey 5 hardware token to authenticate users, in addition to (or even instead of) a typical user name/password combination. WebAuthn is currently a World Wide Web Consortium (W3C) candidate recommendation, and it's already implemented by major browsers like Chrome and Firefox. </p> <p> This article provides an overview of the YubiKey 5 series, and then goes into detail about how the WebAuthn API works. I also look at how hardware tokens, such as the YubiKey 5 series, hide the complexity of WebAuthn from users. My goal is to demonstrate how easy it is to use a YubiKey to register and authenticate with a website without having to worry about the underlying WebAuthn API. </p> <span class="h3-replacement"> About the YubiKey 5 Series</span> <p> The YubiKey 5 series supports a broad range of two-factor and multi-factor authentication protocols, including: </p> <ul><li> Challenge-response (HMAC-SHA1 and Yubico OTP). </li> <li> Client to Authenticator Protocol (CTAP). </li> <li> FIDO Universal 2nd-Factor authentication (U2F). </li> <li> FIDO2. </li> <li> Open Authorization, HMAC-Based One-Time Password (OATH-HOTP). </li> <li> Open Authorization, Time-Based One-Time Password (OATH-TOTP). </li> <li> OpenPGP. </li> <li> Personal Identity Verification (PIV). </li> <li> Web Authentication (WebAuthn). </li> <li> Yubico One-Time Password (OTP). </li></ul><p> In addition, the entire YubiKey 5 series (with the exception of the U2F/FIDO2-only Security Key model) now supports OpenPGP public key cryptography with RSA key sizes up to 4096 bits. This is a notable bump from the key sizes supported by some earlier models. Yubico's OpenPGP support also includes an additional slot for an OpenPGP authentication key for use within an SSH-compatible agent, such as GnuPG's <code>gpg-agent</code>. </p> <img src="https://www.linuxjournal.com/sites/default/files/styles/max_650x650/public/u%5Buid%5D/12568f1.jpg" width="650" height="434" alt="""" class="image-max_650x650" /><p><em>Figure 1. YubiKey 5 Series</em></p></div> <div class="field field--name-node-link field--type-ds field--label-hidden field--item"> <a href="https://www.linuxjournal.com/content/webauthn-web-authentication-yubikey-5" hreflang="en">Go to Full Article</a> </div> </div> </div> Tue, 21 May 2019 12:00:00 +0000 Todd A. Jacobs 1340427 at https://www.linuxjournal.com