Lily Hay Newman
Though there are other authentication dongles out there, YubiKeys are largely the face of the physical two-factor authentication movement. Unfortunately, to date it’s also been unavailable for the most high-profile smartphone in the world. But on Tuesday manufacturer Yubico is releasing the first Lightning port YubiKey for use with iPhones and iPads. It’s been a long time coming.
First announced in January, the Lightning YubiKey has been in the works for more than a year now. Yubico first needed to get Apple’s MFi certification—a license required for all Lightning devices—before it could start designing the product and getting third-party developers on board. The dongle, priced at $70, has a Lightning connector on one side and USB-C on the other side. That way it works with not only iPhones and iPads, but also MacBooks or any other USB-C device. Up until now, Yubico hasn’t had any offerings that could work with iOS devices, and even among competitors the only option was Bluetooth authentication dongles, which can be glitchy, need to be charged, and potentially introduce their own insecurities.
Though the Lightning YubiKey is finally here with Apple’s (mandatory) blessing, the company still hasn’t incorporated the underlying open authentication standard, FIDO 2, into its operating systems by default. As a result, the Lightning YubiKey can’t automatically work as an authentication token throughout your iOS experience. Each app needs to add compatibility individually through a new application programming interface. For today’s launch, you can use the new Lightning YubiKey with a number of password managers and authentication services, like 1Password, LastPass, and Okta. You can also sign in with the key on a number of websites through the Brave iOS browser app.
Using the Lightning key is very similar to using other YubiKeys. You can link the key to an array of services and then plug it into your iPhone to log into their app. You can also use the USB-C end in the same way for other devices, including prominent Android phones like the Google Pixel and Samsung Galaxy S9. At launch, the dongle won’t work in the USB-C port of iPad Pros.
“We’re grateful that Apple is finally on board,” Yubico CEO Stina Ehrensvärd tells WIRED. “We want YubiKeys to be a seamless experience and for two-factor authentication to reach 3 billion people. So ideally we need to not have an iOS SDK, but for it to just auto-work in Apple products. But you have to start somewhere.”
More than a dozen other apps and services, including some heavy hitters Yubico declined to name, are on track to add support for the Lightning keys in their apps by the end of the year. And Apple has recently moved closer to fully adopting FIDO2. The company enabled the related open standard, WebAuthn, by default in macOS’s May Safari Technology Preview.
“We’ve really enjoyed working with Yubico on bringing this integration to 1Password on iOS,” says Jeffrey Goldberg, a product security officer at AgileBits, which makes 1Password. “We all know that people reuse passwords and that passwords can be captured in transit, say by phishing. Hardware tokens and password managers each tackle those problems in their own ways.”
Though finally debuting the Lightning key is a big triumph for Yubico, Ehrensvärd is already looking ahead. She imagines a world where servers or devices like routers and Internet of Things gadgets use FIDO2 and WebAuthn to offer multifactor authentication without human involvement. And her hope is that more companies will expand the range of technologies that can support multifactor authentication.
“If I could have an ask it would be that everything should move to NFC, because then authentication keys could work with any device,” she says, of the wireless, port-less standard near field communication. “I’ve heard rumors that iPhones might let authentication work with NFC. That would be great. We’re wide open to all possibilities.”
For now, at least you finally have the option of using some type of YubiKey with your iPhone for the first time.
More Great WIRED Stories