Yubico has announced a new version of its popular Security Key for use in Lightning ports, the first such device to enable physical token authentication for iPhones. The device also supports a USB-C connection.
Previously, the only way to connect a security key to an iPhone was over Bluetooth, which suffered Bluetooth’s normal usability issues as well as potential security concerns around mistaken pairings. Android devices can also pair over NFC, but that functionality is impossible under iOS’s current NFC restrictions.
“The industry has ended up with Bluetooth as the best way to connect with iPhones,” said Yubico SVP of product Jerrod Chong. “We felt that wasn’t good enough. If you want users to get over the hurdle of using a security device, you have to solve that usability problem.”
Security keys are physical devices used to log in to services, either as a password replacement or a second factor. Because of the protocol used, it’s far more difficult to intercept codes in transit, making it significantly more secure than a password or even a one-time code. Yubico already offers security keys that connect over USB and NFC. As part of today’s announcement, Yubico is also releasing an NFC-enabled version of its conventional USB Key.
Yubico received approval for its Lightning key through Apple’s MFi Program just a few days prior to the announcement, but there’s still a lot of work to be done before the new key will be ready for users. Nearly every major service supports the USB and Bluetooth keys (most notably Google, Microsoft, and Facebook), but apps will need new code before they can support Lightning logins. Yubico has already released code for integrating Lightning into existing apps, but it’s hard to say how long it will take for app makers to adopt the code.
The device is currently in private preview and Yubico’s production plans are still in flux, but the company hopes to the new key will go on sale sometime in 2019. In part, the early preview is meant as a wakeup call to developers to include Lightning login capabilities in their apps.
“It’s really a call to action to services and application developers to come work with us,” Chong says. “The key doesn’t solve anything if the application doesn’t support the device.”