The First Lightning Security Key For iPhones Is Here, and It Works With USB-C, Too

Yubico is releasing the $70 YubiKey 5Ci, the first security key that can plug into your iPhone's Lightning port or a USB-C port, and it's compatible with popular password vaults LastPass and 1Password out of the box. The Verge reports: That means you may not have to remember your password for your bank ever again -- just plug the YubiKey into your iPhone, use it to log into the 1Password app, and get that bank password. At launch, it'll support these well-known password managers and single sign-on tools: 1Password, Bitwarden, Dashlane, Idaptive, LastPass, and Okta. And when using the Brave browser for iOS, the YubiKey 5Ci can be used as an easier way to log into Twitter, GitHub, 1Password's web app, and a couple other services.

Notably, the 5Ci doesn't work with the newest iPad Pros at all, despite having a USB-C connector that fits. And you can't just plug the Lightning side of the 5Ci into an iPhone and expect it to work with any service that supports the FIDO authentication protocol -- our passwordless future isn't here just yet. Yubico tells The Verge that services have to individually add support for Lightning connector on the 5Ci into their apps.

What happens if you lose this device?

[henrik stigell]

What happens if you lose this device? Do you lose access to everything then?

Re:What happens if you lose this device?

[Entrope]

They recommend that you get a backup key, and keep it somewhere safe. If you only have one and lose it, you'll have to use pretty insecure (and account-specific) recovery protocols to restore access to your accounts.

Re: What happens if you lose this device?

[jrumney]

Whether you lose it or not, the existence of these insecure recovery protocols is the weak link in the chain. The only security benefit you gain from using these is that keyboard loggers cannot capture your password.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[thegarbz]

I would argue that benefit is already possible using Lastpass or any password manager without the use of a dongle.

Re:

[ctilsie242]

One benefit of Yubikeys is the fact that there has to be a physical presence there, to press the button on the key, and this renders many attacks obsolete.

The ideal would be some printed recovery codes, or a Google Authenticator app, if the key is lost. For services I use a security key for (the Thetis keys seem a lot more solid than Yubikeys, except MS doesn't seem to support them), I also have TOTP auth codes, and written one use codes. That way, I have several fallbacks should something fail.

Re:

[golgotha007]

>>Whether you lose it or not, the existence of these insecure recovery protocols is the weak link in the chain. The only security benefit you gain from using these is that keyboard loggers cannot capture your password.

I think you're missing the point. The largest benefit is thwarting someone from logging into an account even if they have your credentials, brute forced or otherwise. Without the yubkey, they're out of luck. Also, instead of using Google Authenticator for TOTP, use Yubico Authenticato

Re:What happens if you lose this device?

[fuzzyfuzzyfungus]

There are some account-recovery mechanisms that aren't a total disaster(reset emails, no; some hideously long "really, you'll need to print this one" recovery password, potentially); but as you say they tend to be idiosyncratic and highly variable in quality.

The nice thing about the FIDO2 keys(unlike the RSA/time-based fobs) is that they can be safely used to authenticate with multiple services(the RSA fobs, while very clever in eliminating any need for specific hardware support or connection between the fob and the authenticating device, do this by being shared-secret based; so what you need to know in order to validate a login from one is the same thing you'd need to spoof a login from one, which means that you can really only use each one with a single service); and they don't require batteries(unless they need to support bluetooth) so they don't drop dead every 2-3 years. This makes the "keep a key in reserve" advice a lot more palatable. I can also attest(from personal carelessness) that being a battery-free chunk of circuit board encapsulated in tough plastic survives trips through the laundry without flinching; which comes in handy when you forget to clear your pockets fully.

They've also gotten pretty cheap, for the FIDO2-only models(the ones that do smartcard emulation and assorted other stuff will run you more, though still only ~$45). Yubico is by no means the cheap seats; and their basic USB key is $20 in quantity 1, $27 if you want NFC with that; so it's not too painful to have a few backup keys on hand. This 'for mobile' one is more expensive, so you don't want to be losing those all the time; but you don't need the fancy form-factor for your 'break glass' backup key that you use only if you need to get in to untrust a key that you've lost and enroll the replacement.

Re:

[110010001000]

There is a backdoor password. It is "1234".

Re:

[sconeu]

Isn't that 12345? At least, that's the combination I use for my luggage.

Re:

[Darinbob]

Those sorts of statements like "you may not have to remember your password for your bank ever again" are common, and essentially from naive and short sighted individuals. And yet some people are amazingly surprised and/or angry when something breaks and they lose all their passwords, all their pictures, all their data, etc. Maybe this comes from the overwhelming desire to own all the newest gadgets and this drowns out the part of the brain that says "do you really need this?" and "but what if?"

I mean, writ

Re:

[Timothy2.0]

I'm more concerned about what happens if the police/border guards stop you. Odds are you're carrying this thing on a keychain, and what's to stop them from using it to access your device while you sweat it out in an interrogation room? Fantastic: All your passwords in one convenient dongle...Why not just go back to writing them on a post-it and sticking it to your monitor?

Passwordless future?

[Viol8]

" our passwordless future isn't here just yet"

And it probably never will be. Neither biometric data nor a security fob is as secure as a simple code since the former can both be stolen without you knowing it until its too late (biometric by pictures of your face, your voice recorded and fingerprints lifted from a device). The only way a password can be stolen is if you're stupid enough to write it down or let someone watch while you enter it. (Ok, if there's a keylogger on your system it can be stolen then too but by then your system is already compromised anyway so no security system would be safe to use)

Re:

[110010001000]

Modern biometrics can't be defeated by pictures or "lifted" fingerprints. Biometrics is infinitely more secure than a password.

Re:

[markdavis]

>" Biometrics is infinitely more secure than a password."

Nope. It depends on the biometric and the situation. If it is fingerprints, the answer is always "no". If it is face recognition or voice recognition, the answer is also "no". If it is genetic, also "no". Not only are they not secure, but they invade privacy.

There is only one safer and practical biometric I know of- that is deep vein palm scan. That registration data cannot be readily abused. It can't be latently collected like DNA, fingerpri

Re:

[Viol8]

Also once your biometrics are stolen good luck changing them for new ones like you can a password.

Re:

[110010001000]

You can't steal biometrics. Go try it. It won't work.

Re:

[Viol8]

You believe that if it makes you feel better.

Re:

[110010001000]

Totally incorrect. When I say "modern" biometrics I mean that you cannot use "lifted" fingerprints for example. Go try and use a lifted fignerprint on a modern fingerprint scanner. It won't work. Passwords can be obtained via many different ways. MODERN biometrics are much more secure.

Re:

[Darinbob]

Password replacements aren't great either. The concept should change. And of course, it already exists. Cryptography hasn't stagnated since the invention of passwords. Go with a mix of Public Key Infrastructure and a challenge-response protoocol. The most you have is a highly secure private key, it never leaves your possession Then to access a server there is a challenge based partly upon your public key and the device will automatically generate a secure response. And of course, key rotation and expir

If Slashdot is just going to be adverts, I'm out.

[Kamineko]

If Slashdot is just going to be adverts disguised as articles (like the diet plan thing earlier) I'm out.

Re:If Slashdot is just going to be adverts, I'm ou

[110010001000]

Sure, but before you go, let me give you an exit gift: A $5 coupon to Amazon. Also, if you read only twenty more articles you can earn enough credit for another $5 coupon!

Re:

[Kamineko]

Score: +1: Tragically Plausible. *sigh*

Unsure

[Nick Nick]

...why do we need this product?

What a terrible idea

[danielcolchete]

Your phone is already considered a something-you-have type of authentication in use (whence SMS authentication). Adding a YubiKey there doesn't add much more security to that, it's just a slightly from of the same class of authentication: the something-you-have class.

So this article already starts with a terrible idea: if you stop using passwords because of this you will be going from double authentication (something-you-know and something-you-have) to just single authentication (something-you-have), getting worse overall security because it's not double authentication anymore.

The use case of someone robbing you of your phone will be awesome, because now you also need to carry the key around to use your phone properly, so they can steal the YubiKey as well.

Re: What a terrible idea

[TuballoyThunder]

SMS as a second factor is horribly insecure and should not be used (or only for no-consequence websites)

Re:

[kevmeister]

It's been years since NIST, the US government's agency responsible for standards, including computer security, warned that SMS was not acceptable as a 2-factor component, but it is still heavily used and the fact that NIST issued a warning that it is not effective is largely unknown. Better would be a combination of a physical key and a fingerprint. What you have and what you are. Use of passwords MUST be eliminated if we are to have real cyber-security.

Re:

[thegarbz]

No you still need a password to use a YubiKey. The difference is you remember the password for the key instead of the password for the server minimising password reuse.

Re:

[ctilsie242]

I rather see something SMS based with a phone than another device to carry around. My 2FA apps all can be set to require a PIN or fingerprint, which essentially makes things 3FA, requiring a password, the phone in an unlocked state, and access to the app. With good backups (including printing out MFA seeds and keeping those somewhere secure), that is adequate.

The one thing the YubiKey provides is physical attestation. Someone has to press the button on the key. This is useful for mitigating remote attac

Re:

[MachineShedFred]

Yeah, how many SMS man-in-the-middle compromises are available now?

Never use SMS authentication if you can help it. It's barely more secure than not having 2FA at all.

why not an NFC or RFID implant

[FudRucker]

then you dont have to keep a key in your pocket, it can be implanted in your hand and as soon as you grab your phone it unlocks along with any password you may need for banking or online shopping,

So, USB works or it doesn't work?

[Rosco P. Coltrane]

TFA's title: "The First Lightning Security Key For iPhones Is Here, and It Works With USB-C, Too"
TFA's content: "Notably, the 5Ci doesn't work with the newest iPad Pros at all, despite having a USB-C connector that fits."

So which is it?

Re: So, USB works or it doesn't work?

[Cmdln Daco]

Basically, it isn't supported by Apple, and all support will go away as soon as Apple has invented it.

Re:

[hsmith]

The USB-C portion of the lightening key does work with the USB-C iPad Pro. the author of this post is an idiot.

They invented a key not the password manager

[thewolfkin]

That means you may not have to remember your password for your bank ever again

Who is TheVerge audience? Because you haven't needed to know your bank password for years. Because ya know password managers exist already. The article is all about how this works with password managers but right now without this device you don't need to know your bank password. You need to know your [password] manager's password. This is a small thing but in an article all about how to improve password managers it would be nice

Countdown

[DontBeAMoran]

Apple to use their secure enclave chip to do the exact same thing in future iOS versions in 3... 2... 1...

never do this

[Micah NC]

LastPass lost everyone's passwords to the hackers, and that's just one of the cases we know about.

Why spend $70 so that someone else can give your password away?

https://www.independent.co.uk/... [independent.co.uk]

Re:

[ctilsie242]

In LastPass's favor, they were breached, but an attacker still has to figure out the user's master password to get access, and with a proper algorithm like bcrypt, I'm sure there are ones that fall easily, but most would be inaccessible. Other places like 1Password requires the password plus a secondary key for access which are two pieces that an attacker likely would not have, or be able to get both. BitWarden also is decent, and has been audited, with findings addressed.

There are other password managers

How much extra security does this provide?

[thegarbz]

On the one side we have a hardware key with FIDO interfacing with a password manager, and on the other side you could just have your encrypted password manager file on a USB stick.

Can someone help explain the benefits of this key if all it does is work with password managers? I often thought the password managers were quite secure by themselves.

Re:

[ctilsie242]

The biggest security component with a password manager... is your password. From there, 2FA/MFA important, but what keeps your keys encrypted, should there be a breach on the cloud side, is the password.

Re:

[MachineShedFred]

It doesn't just work with password managers. For example, I use a Yubikey as a second factor for access to my company's AWS console because it supports U2F authentication devices through Chrome.

This mitigates remote vulnerabilities because someone would have to physically press the button to have the key enter it's code, unlike a compromised TOTP token.

Oh goodie!

[p51d007]

A 10 dollar device but because it is associated with Apple, the price it 70 bucks. Another great way to jack up your lightning port, plugging and unpluggin the charger, your headphone adapter (oh wait, you iphone types bought into the whole overpriced BT airpods).

Is This How Yubico OTP Works?

[ewhac]

This is a copy-paste from a post I made to the Book of Faces a few days ago, but only received a few responses. Perhaps the membership here has deeper insights.

_ _ _ _ _ _ _ _ _

Please tell me if any of the following analysis is incorrect:

The default configuration of the Yubikey 5 (a two-factor authentication (2FA) gadget) is Yubico OTP, which works as follows: Each Yubikey has a unique serial number and a unique 128-bit AES symmetrical cryptographic key. Both are programmed into the Yubikey at the factory, and only Yubico knows the AES key.

When you tap the contact on a Yubikey as part of a 2FA login process, the serial number is output in plaintext, followed by the serial number (again) plus a monotonically ascending counter value both encrypted by the AES key. The result, after encoding, is a 44-character one-time token. This token gets fed to (for example) Facebook as part of your login.

Facebook then passes this token verbatim to Yubico. Yubico then uses the plaintext serial number to look up the key, decrypts the rest of the token using their copy of the AES key, and checks to see that the ciphertext serial number matches the plaintext copy, and that the counter value submitted is greater than the last counter value they saw. If both checks pass, Yubico replies to Facebook that, yes, this is a valid token for this key. Facebook then says okay, and lets you into your account.

Conclusion: This process doesn't say anything specific about the user's identity (i.e. "This is Bols Ewhac"). All it proves is that the Yubikey used to login to the account is the same Yubikey used when 2FA was initially set up, presumably by the authorized user.

Side Effects: Yubico gets to see *every authentication* for a given Yubikey. Yubico sees a connection from Facebook requesting a validation for Yubikey $(SERIAL_NUMBER). While Yubico may not necessarily know that Yubikey $(SERIAL_NUMBER) belongs to $(SPECIFIC_PERSON), they *would* see that same Yubikey presented to Google, Github, $(BANK), etc. over the course of time. This exposes Yubikeys to temporal correlation attacks by third parties that can see network traffic between users, services, and Yubico.

Yubikey 5 also supports NFC (Near-Field Communications, a very short range digital radio standard). This means that Yubikey 5's can be undetectably scanned for their serial numbers by third parties as they leave the factory/warehouse on their way to users.

(Yubico OTP is but one of the modes supported by the Yubikey 5.)

Re:

[h4ck7h3p14n37]

Can't you run that Yubico service locally?

Yubikeys have two profile slots, the first one has the unique id from the factory and the second one is unset. You don't have to use the pre-programmed id, you can either change the value yourself using their personalization tool or you can use a different protocol. I have a NEO on my keychain with my GPG keys installed.

Re:

[aleph]

The more common profile used these days is FIDO U2F, which has individual keys for each service, and doesn't involve Yubico.

https://www.yubico.com/solutio... [yubico.com]

You can also run run your own Yubikey server for the other profile, you can download it from their website. It's basically a FreeRADIUS setup from my vague recollection (could be wrong).

The fancier (non u2f) yubikeys also act as smart cards, so you can install your own X509 cert and/or GPG key on them as well (in addition to the two OTP profiles, and FI

Re:

[aleph]

Oops, by non u2f I meant non u2f *only* keys. All current yubikeys support u2f I think. The u2f only ones are just cheaper, and don't support any other form of OTP or smartcard functionality.