YubiKey’s new iOS SDK lets developers bring hardware 2FA to their apps

YubiKey’s new iOS SDK lets developers bring hardware 2FA to their apps

Yubico, the maker of the popular YubiKey hardware two-factor authentication (2FA) token, has announced the launch of its iOS SDK. This allows developers to bake truly secure 2FA (read: not based on SMS) into their apps, based on the company’s YubiKey NEO NFC-equipped hardware.

Support for the company’s NFC one-time-password hardware arrived in iOS 11, which Apple released last September. The launch of this SDK signals that the tech has matured, and is ready for the prime-time. Developers of apps — especially enterprise apps — that require an extra layer of secure authentication can use this to integrate YubiKey NEO support.

The YubiKey NEO generates a one-time-password, which is transmitted to the device using near field communication (NFC). Yubico says this is four times faster than manually typing in a token, as you would do from an RSA SecurID keyfob. And as an added bonus, it’s also completely batteryless. You can get a sense for how this works in the video below:

The company has also announced the first company to use the SDK in an app. LastPass, the popular LogMeIn-owned password manager, now lets iOS users authenticate using the YubiKey NEO device.

The feature is available to LastPass users with Premium, Families, Teams, and Enterprise accounts, and works on iPhone 7 devices and above. Support for the YubiKey NEO on Android has been around for some time.

In a press release, YubiKey founder and CEO Stina Ehrensvard, said: “It’s absolutely critical to have a hardware-based root of trust, like the YubiKey, to establish an approved relationship between a mobile phone and the apps we use.”

The hardware bit is important, because SMS-based authentication isn’t as secure as you might think (although, it’s more secure than not using any form of two-factor authentication at all). A popular attack sees an adversary clone a phone number, thereby intercepting any one-time passwords sent to the victim.

This isn’t necessary a complicated, technical process. It often involves little more than going to a phone company’s store, and social engineering the sales assistant into issuing a new SIM card.

Read next: Study shows the fraught relationship between tech recruiters and hiring managers