|
|
|
|
|
|
by simias
2180 days ago
|
|
|
I always assumed that the relatively high price of the Yubikey had more to do with it being a relatively niche product than the cost of production, after all it's not much more than a cheap microcontroller underneath all that. Was I wrong to make this assumption? Why would FIDO tokens be significantly cheaper and/or more popular? If anything it seems like at first it's going to fragment the market even more. |
|
|
A FIDO authenticator has no modifiable state beyond maybe some sort of counter, it has a random secret key which makes it unique from its siblings, and that's it. No firmware update feature, no storage.
The crypto hardware is also simpler. FIDO was defined in terms of these nice compact elliptic curve schemes. The keys are small, the operations are simple, I'd be surprised if dedicated silicon to implement this isn't cheaper, and if you're just running it on a cheap microcontroller I'd be surprised if you can't get away with a cheaper microcontroller than you would need to implement RSA encryption and whatever else a Yubikey can do.
Finally in terms of volume, it makes sense to give all your 5000 staff a FIDO key. "Go to the enrollment page we built by this Friday. Enrol your FIDO key. Call the help desk if you have problems. From next Monday these are mandatory". You can lock down common corporate web SSO solutions with it for example, outfits like Duo will let you just check one box and you can now answer "Yes" to pages of questions your CISO is supposed to fill out every year.
It doesn't make sense to give out 5000 traditional Yubikeys. A dozen to a dev team for PIV? Maybe. But the lady who does 2.5 days per week in the accounts department? She doesn't need PIV. She can use a FIDO key to sign into the accounts web app though.