WebAuthn Web Authentication with YubiKey 5

A look at the recently released YubiKey 5 hardware
authenticator series and how web authentication with the new
WebAuthn API leverages devices like the YubiKey for painless website
registration and strong user authentication.

I covered the YubiKey 4 in the May 2016 issue of Linux Journal, and
the magazine has published a number of other articles on both YubiKeys
and other forms of multi-factor authentication since then.
Yubico recently has introduced the YubiKey 5 line of products. In addition to the
YubiKey’s long-time support of multiple security protocols, the most
interesting feature is the product’s new support for FIDO2 and WebAuthn.

WebAuthn is an application programming interface (API) for web
authentication. It uses cryptographic “authenticators”, such as a YubiKey
5 hardware token to authenticate users, in addition to (or even instead
of) a typical user name/password combination. WebAuthn is currently a
World Wide Web Consortium (W3C) candidate recommendation, and it’s already
implemented by major browsers like Chrome and Firefox.

This article provides an overview of the YubiKey 5 series, and then
goes into detail about how the WebAuthn API works. I also look at
how hardware tokens, such as the YubiKey 5 series, hide the complexity of
WebAuthn from users. My goal is to demonstrate how easy it is to use a
YubiKey to register and authenticate with a website without having to
worry about the underlying WebAuthn API.

About the YubiKey 5 Series

The YubiKey 5 series supports a broad range of two-factor and
multi-factor authentication protocols, including:

  • Challenge-response (HMAC-SHA1 and Yubico OTP).
  • Client to Authenticator Protocol (CTAP).
  • FIDO Universal 2nd-Factor authentication (U2F).
  • FIDO2.
  • Open Authorization, HMAC-Based One-Time Password (OATH-HOTP).
  • Open Authorization, Time-Based One-Time Password (OATH-TOTP).
  • OpenPGP.
  • Personal Identity Verification (PIV).
  • Web Authentication (WebAuthn).
  • Yubico One-Time Password (OTP).

In addition, the entire YubiKey 5 series (with the exception of the
U2F/FIDO2-only Security Key model) now supports OpenPGP public key
cryptography with RSA key sizes up to 4096 bits. This is a notable bump
from the key sizes supported by some earlier models. Yubico’s OpenPGP
support also includes an additional slot for an OpenPGP authentication
key for use within an SSH-compatible agent, such as GnuPG’s
gpg-agent.

Figure 1. YubiKey 5 Series

Powered by WPeMatico