Using YubiKey OTP to secure your Portal
I have wanted to write this blog for ages but have only gotten around to it now. Before I begin I would like to acknowledge the following which are also related to the content of this posting:
- Gregor Wolf’s New ABAP Open Source Project: Class for YubiKey authentication on implementing something similar in ABAP. I think/hope this is going to be different enough to warrant another blog.
- Yubico AB – the creators of the ingenious little Yubikey 🙂
- Steve Gibson and Security Now for bringing this to my attention in episode 143.
When I first heard about the Yubikey I thought it was an brilliant idea and wanted to play with it and find a way to integrate it into SAP. Since my experience is mostly with the Portal I decided to write a custom login module for the J2EE engine that could be used to authenticate users who had a YubiKey. I was interested to see if this could be a good alternative for companies wishing to implement strong security without going down the path of client side certificates.
Mapping user accounts to keys
Users need to be able to register their YubiKey against their User Id. Each YubiKey is unique and therefore is assigned a unique identifier. When the user logs on the unique key should be associated with a valid user in the system. This ensures that YubiKeys cannot be shared between users. An administrator could also do this on behalf of the user before issuing they key to their users. Some options for doing this could be:
- Add a custom attribute to the UME to store the YubiKey unique Id against a user record
- Use an ABAP system to store the mapping (if you have one available)
- Use a custom database table if you were going to implement an internal YubiKey authentication service, this would probably make a lot of sense.
YubiKey Logon Module
The YubiKey OTP (One Time Password) needs to be validated. For my POC I did this by using the publicly available API from Yubico since that was the easiest thing for me to do. However it is perfectly possible and probably advisable to run the YubiKey server internally so that you have full control over the management of the keys you issue in your organisation. There are many open source implementation of the validation server you can use. Of course the logon module can be chained so that it can be used in conjunction with other modules (e.g. the basic user id/password module).
Real life example
If the authentication step succeeds then bingo! the user is granted access to the Portal (or any web application you like). Below is a screenshot from my demo portal.
So in my view what would be the pros and cons of this type of solution?
- The Yubikey OTP is inherently very secure. For a more detailed description of why, I would suggest you listen to episode 143 of the Security Now podcast.
- It is easily transferrable between computers.
- It is compatible with any system that can recognize a USB keyboard.
- I love using my YubiKey, it is a very nice tactile experience – this probably sounds silly but it certainly adds to the enjoyment of using the product.
- The YubiKey will never run out of batteries (there are none!)
- You don’t need to read a 6 digit number and enter it manually which is prone to error and can be difficult depending on how good your eyesight is (am I getting old? :-))
- The YubiKey is a physical device that people can lose or just forget at home, since it is not like an RSA fop key you can’t just call home and get someone to read the current code to you!
- You can’t instantly generate a new YubiKey(like you can with a digital certificate) – so you should probably keep some spares handy.
- The YubiKeys have an associated cost – but then most things do these days (unless you issue client side certificates yourself)
Of course you can also imagine combining other Single Sign on solutions with the YubiKey therefore enabling not only very secure authentication but also the convenience of SSO.
I hope you find this topic interesting and can start to see uses for such a solution within your landscape too. Please send me any suggestions or comments esp. if you see any other pros and cons of using such a system.
FYI… YubiKey 2.0 was recently released. It adds the ability to have both the OTP and Static password functionality in the same device.Mine should be winging its way to me now!