Web service for checking one-time passwords
A service created to verify OTP one-time passwords. They can be used either for two-factor authentication or instead of a main password. You can use YubiCloud or create your own server.
YubiKey’s secrets are protected by YubiHSM hardware module.
The service is located on several continents.
Fast and affordable protection
Free web API integration in less than an hour.
YubiCloud is the name of a service that was created to verify OTP one-time passwords. They can be used either for two-factor authentication or instead of a main password. A usage pattern combined with a password will typically look like this.
To start working with the service, you will need to get API keys – this is free, fast and helps prevent errors.
The advantage of the YubiCloud service is the simple integration and readiness of existing YubiKeys held by users to be verified by popular services such as Google Ads, LastPass password managers, etc.
If desired, instead of YubiCloud, you can use third-party implementations, such as are available, for example, on GitHub. The advantage of having your own server is that you can control all the AES* keys programmed into the YubiKey yourself.
* This is a symmetric block encryption algorithm (block size 128 bits, key 128/192/256 bits).
Advantages of using OTP
- Reliable and secure two-factor or one-factor authentication. The secret is stored directly on the YubiKey, where it cannot be copied or stolen.
- No client software required. A string is required to enter the OTP. And if there is a line for the password, then you can also send the OTP password.
- Built-in YubiKey ID. In this way, self-initialization and authentication can be performed on behalf of the user.
- Easy implementation. If you use the YubiCloud service, maintaining OTP is as simple as maintaining passwords.
To create your own verification server (or authentication module), you need to consider many factors. Next, we will consider an approximate abbreviated scheme of the development of the authentication module, which is already implemented in Yubico, to understand what exactly to pay attention to when creating it. Or you can get more detailed instructions in Ukrainian get here.
Recommendations for creating your own server
When designing a module, you must consider authentication, scaling, provisioning, and key administration modes.
To comply with many industry standards, you will need to set up two-factor authentication. This may be enough. But if you are developing an authentication module based on the YubiKey, we recommend using 4 authentication modes according to the roles of your users and the requirements of your security policy:
Username + password
This mode is not the most secure, but in some cases it may be sufficient for the consumer purposes of users and to simplify the registration procedure.
YubiKey username or OTP + password
In this case, you can simplify the process of entering the system. The method is quite safe, especially if you use complex passwords and store them in a safe place (storage).
YubiKey Username + Password + OTP
This is one of the safest modes. It is usually set as standard. We also recommend that you consider the following administrative configuration setting: make a password optional until the YubiKey is assigned to a user account. This will simplify the administration procedure in large companies, giving new users time to switch to stronger authentication methods.
Only OTP YubiKey
Logging in is even easier when using only the YubiKey ID. But there is a danger that if the key is stolen, the attacker will get into the system. Of course, the procedure will be difficult for him: he will need to penetrate directly into the company’s office, find out where the victim keeps the key and which services he accesses. But note that there is a risk of breakage in this case.
The next steps in building your own server are scaling and administration.
You have to anticipate the growth of the organization, even if today you only have up to two dozen employees and few customers. Because the number of service users can suddenly grow from several hundred to several million. For example, how it happened with the avalanche the growing popularity of ChatGPT.
Therefore, even at the initial stage, it is desirable to consider options for developing modules that work in frameworks that can support at least 10,000 users. Additionally, consider a hierarchical structure for administration and support, so that as the structure grows, each has appropriate roles and access within the security policy.
Key administration includes the following functions:
- creation of an open EDS key certificate, which allows you to verify processes via the Internet;
- replacement of passwords for access to the secret EDS key in the key store;
- changing the number of the secret EDS key in the key store;
- deleting the EDS key from the key store.
Administration must be provided in such a way that the administrator has the ability to associate YubiKeys with user accounts. Especially when providing access to employees.
It is important to ensure a reduction in the administrative burden in case of growing team and users. To do this, users should be able to configure it themselves (that is, linking the key to the account). In such a model, the user must be able to authenticate in some other way to the key binding — typically with a login and password.
If possible, the authentication module can be developed as a plugin. Make sure it is not implemented by changing files on the main platform. In this case, it is possible to prevent a crash during the update of the underlying application platform.
An administrator must be able to install, configure, and run the YubiKey module from the administrator console.
Installing the module should be simple. For this, the following measures should be taken:
- It is necessary to define the configuration parameters according to the previous option for the module.
- All database modifications, such as creating new tables, defining a module’s configuration, etc., should be done without affecting other modules.
- Based on the requirements of the application’s underlying platform, the module must be registered in the application.
- Ideally, the installation script should provide support for all database systems supported by the underlying application platform.
Try to provide an elegant way to remove the authentication module if the need arises. The server should prompt the administrator to save a backup copy of the data used by the module. This should be an optional feature, optional at the administrator’s discretion. The process of removing the authentication module itself should not affect the operation of other programs.
After installation, with the authentication module enabled, the administrator should be able to configure the global settings:
- YubiKey authentication mode;
- Usage verification service;
- Ability to enable/disable the module.
The following configuration parameters should be provided in the module:
- One of the four authentication modes (which were mentioned above).
- Setting up the verification service.
Unless otherwise specified, this can be a Yubico verification service that has the following parameters: API keys; API indicator; Https; time out. If an administrator uses internal OTP authentication, their interface should have similar configuration options and URLs for internal instances of authentication servers.
The authentication module should provide simple management of user profiles. We recommend setting up information about them in tabular format:
- YubiKey ID;
- Status: active/deactivated;
- Status: active/deactivated;
For convenience, you can add other information, such as the last time the profile was used, contact support, special notes, etc. We also recommend adding a convenient search function by name, ID, or user activity.
The module should include the function of easy blocking of profiles to prevent access by unauthorized persons in case the keys are stolen by them. At the same time, the real user must be warned through a message. Also, users should be able to warn about the loss of the key by pressing a button when attempting to authorize.
There should be a function of additional verification of the user, for example, by a one-time link to the mail, after which it is possible to reset the key and use an additional one.
Advantages of YubiKey devices:
- Support for FIDO U2F, FIDO2 protocols, thanks to which it is possible to connect one-factor, multi-factor or passwordless authentication;
- Yubico OTP, OATH-HOTP, OATH-TOTP support;
- Smart card mode;
- OpenPGP standard;
- Compatibility with hundreds of popular services;
- Nano versions of security keys and hardware module, compact and ultra-convenient.
FIPS series keys, in addition to the advantages listed above, support the FIPS 140-2 standard (meets increased security requirements according to US security verification standards). Therefore, they can be provided through a separate order.
To order suitable devices for enterprise solutions or to get answers to your questions, send us an inquiry.
Our specialists will contact you soon, provide all the necessary information and help you choose the appropriate devices to protect your business.