There are a lot of articles going around the blogosphere today about Google "Declaring War on the Password", and showing picturers of a YubiKey.
While I am a fan and proponent of improved trustworthyness of authentication, especially with using 2 factor protocols like HOTP and TOTP and devices like the YubiKey, I am curious as to what all the hubub is about today.
What keeps Google Authenticator and YubiKey from easily working together right now is the fact that Google uses TOTP and YubiKey implements HOTP. They are almost the same protocol, with one important difference. TOTP is time based. That's what the T stands for. Every fixed internal (usually 30 seconds) a TOTP token generates a new password, which means that token needs to know what time it is, which means it needs a clock. While a HOTP device like a YubiKey just needs to keep a counter, and generates a new password every time it's button is pressed.
So the Google and Yubi partnership means one of three things.
- Google is going to support HOTP on the Google Two Factor Login service, or
- Google and YubiCo have figured how to to put an extremely low power clock and extremely small battery into a new version of the YubiKey, or
- Google and YubiCo have written a USB device driver that speaks to the YubiKey when it's plugged in and tells it what time it is to generate the correct password (which means that driver needs to be installed on every Windows/Linux/MacOS/ChromeOS device you want to use the token on)