Yubico’s New USB Security Key Review

Recently, Yubico released a new security key to create a passwordless login for Windows 10. The YubiKey USB key is currently only available for Windows Technology Adoption Program users. Seems like a great idea, right? Wrong.

A passwordless login with a USB key sounds like an easy, secure way to eliminate the use of passwords. Many companies feel that creating passwords are a daunting task for end-users. Especially when we suggest the use of creating a password greater than 14 characters to avoid the threat of rainbow tables. Read more information here about rainbow tables and the strategy behind passwords greater than 14 characters. When a potential user of the nFront Password Filter calls to inquire about the software, many times they are frustrated with employees who are creating commonly used passwords that are resulting in them either being hacked or failing a security audit. Commonly used passwords that are easily hacked are “Password123” and “Summer2018.” Neither of these passwords are secure, yet they are currently being allowed by Windows.

With the frustration that occurs by end-users not creating strong passwords, would requiring end-users to keep up with an additional piece of equipment (YuniKey USB drive) seem like a plausible solution? Having end-users keep up with an additional USB key would be a larger concern from my point of view as opposed to enforcing a stronger password policy.

Here are a few online statistics on the loss of USB drives for a one-year duration:

4,500 USB drives were left in UK dry cleaners
17,000 USB drives left in UK laundry mats
25,000 USB drives left in UK and NYC taxis

Furthermore, during a 2 year duration, one US airport reported over 1,400 badges that were either lost or stolen. If we’re looking at the concept of an employee not being able to create a password that isn’t “Password123” and “Summer2018,” are you sure that they will be able to keep up with a USB drive?

Also, another downfall to USB drive authentication is with the advancement of technology, not all computers and devices have USB slots.

Passwords have been around for longer than any of us have been alive, yet many people want to find a loophole around not having to use a password. Whether it is an external USB/smartcard login or biometrics, these can both be easily hacked. Read more about biometrics here. The key to a secure network are secure passwords. Secure passwords require one key concept – entropy. Longer passwords of 15 characters, even with just basic alphanumeric cases, is more secure than a shorter password with all four character types.

Bottom Line: Passwords aren’t going away anytime soon. Therefore, companies that are looking for shortcuts with passwords will most likely end up disappointed when their new approach does not work.