However, that small inconvenience is not really something to be bothered by. Any hardware-based login solution will have that, and the yubikey’s fitting into something you have anyway for getting in to places (you keys) makes it very logical. What could have made it even better had been if you would have activated it using a key-like turn rather than the somewhat bland keypress that does not produce any kind of haptic feedback. But I can understand that a twisting design like that would be an order of magnitude more expensive to produce, and probably another order of magnitude less durable…

It is also striking how well this system works compared the incredibly clunky login and signing facilities used by ICA Banken. There, you have a piece of hardware which is way larger than a key, into which you slide your credit card. Then, to log into the bank and effect a payment of a bill, you do:

• Type in customer number
• Type in PIN code
• Put your card into the signing device
• Press “login”
• Copy 8 digit code from web page to device
• Type card PIN code into device
• Copy 9 digit code from device to web page
• … enter data for bills …
• Bring out the signing device again
• Insert card
• Press “sign”
• Copy 8 digit code from web page to device
• Type card PIN code into device
• Copy 9 digit code from device to web page

I really think the “sign” step adds no security in practice, and most other bank systems I use seem to agree with this: once past login, no need for additional confirmation. I think that makes sense, and that the sign stage is here more as a warm fuzzy feeling kind of thing.

If it wasn’t for the possible constraint that the ICA solution has to work on public computers where you have no access to USB ports, I think a yubikey-based solution would make all of the above so much easier. The genius of the yubikey is really that it removes the “type in numbers from hardware device” from the login steps, which really is something that there is little value to having each user do every time they effect some kind of secure operation. If all banks used a yubikey, I think the world would save many thousands of people hours that could be used to have fun, be with the family, and other more beneficial uses.

The immediate impression is that is impressively small!  Compared to a standard USB memory stick, it is significantly smaller, and most importantly, very thin. This means that they can be sent in a regular envelope in the mail, since it is about as think as some folded papers. It also helps when you put it on your key chain, I guess. I don’t know if I dare do that yet, since my pocket tends to be fairly crowded with heavy sharp keys that could well scratch the innocent little  Yubikey. Here is a picture of the key along side a Sandisk Cruzer USB memory stick:

When it is attached to a computer, the little button ring lights up. When the computer is asleep, it pulsates nicely too.

Driver installation was automatic on my Vista machine, showing up as a human-interface device with no particular characteristics. That is the very idea of the Yubikey: it is a USB keyboard as far as the computer is concerned, which is amazingly simple and clever. Here is what Vista says about it:

In use, the Yubikey is still a bit of challenge to me, for one simple reason: the button feels hard to get pressed in the right way. It seems that I have to push pretty hard and for a long time to activate, and then I want to hold the key with my other hand too so that I do not break it at the point where it is connected to the computer.

Apart from that, it is a beautiful device, and compared to the security solutions I have with my various internet-based banks, it is much easier to use. No codes to type in, no 9-digit numbers to type into online forms (that is what ICA Banken currently requires you to do, copy a nine-digit number from a security device into which you insert your bank card…).

So overall, I really like the Yubikey, and it will be interesting to see how it lasts, physically, as I start taking it with me everywhere.

Update: The Yubikey does work to have on a key chain, I have started doing that and so far it works in the sense that it does not affect the physical size of the chain much. There is also some logic to the use mode of inserting the key from the key chain into my computer to “unlock” secure functions.