Hardware-based two-factor authentication has finally made its way to iOS with the release today of an SDK from Yubico that allows developers to integrate support for the YubiKey NEO into their iPhone apps.
The introduction of the software development kit means that a user will be able to log in to supported apps on her iPhones by tapping her YubiKey against her phone. The change was made possible on Apple’s side with the introduction in iOS 11 of better support for NFC communications. The newest version of iOS allows the iPhone’s NFC chip to read tags, meaning that iOS developers could then add one-time password functionality to their apps.
Until now, iPhone apps mainly relied on short codes sent through text messages as a method of two-step verification. SMS is not considered a secure channel for two-step verification or two-factor authentication, but it’s become the go-to method for many apps and services. Yubico’s SDK gives app developers a better, more secure option.
“Given that the YubiKey NEO can generate an OTP and send it to the requesting app via NFC, it became possible to authenticate with Yubico one-time password (Yubico OTP) with a YubiKey NEO — a feature requested by many YubiKey users. However, documentation and reference code for developers to add this support to applications was lacking and unnecessarily complicated,” Ronnie Manning of Yubico said.
Yubico already had supported this kind of authentication on Android. The integration of the hardware 2FA support with iOS is only for iPhone 7 or newer models. Given the importance of multi-factor authentication in today’s threat environment, the integration is a step forward for users and developers.
“This is a positive move in further securing mobile computing and enabling a mobile and secure workforce. In particular, it does protects against a case that same-phone 2FA can't, which means users can be more secure,” said Kyle Lady, a senior information security engineer at Duo Security.
“It does, however, require both a token and a phone that supports NFC, which doesn't apply to many users right now. Hopefully, we see the technology trickle down to less expensive consumer devices, both on the iPhone side and the hardware device side.”