NFC token for Android smartphones
The YubiKey Neo hardware token represents an interesting new concept for one-time passwords on NFC-capable Android smartphones. Rather than typing them in, the token uses the near field communication (NFC) standard to send generated one-time passwords to a smartphone. To unlock items such as the password safe application LastPass, the YubiKey key fob token is simply brushed across the back of the phone after logging in.
The token can be configured to open a chosen URL after NFC contact, with the one-time password appended as a parameter. No special software needs to be installed: the key fob uses a feature known as Android Beam, which was added to the mobile operating system in Ice Cream Sandwich. Apps can also register themselves as handlers for the URL opened by the YubiKey, meaning that they will be launched automatically following contact with the token.
Depending on the implementation, generated one-time passwords can be used directly as passwords at login or can be queried in addition to a fixed password (two-factor authentication). In the latter case, the account is still protected even if the login credentials fall into the wrong hands, as access to the token is required to generate the one-time password required for login.
In addition to the NFC interface, the YubiKey Neo also has a USB connector, allowing it to pass itself off as a keyboard on a PC. No driver installation is required by the user. Pressing the button on the token causes it to send the one-time password to the computer as keyboard input. The password is generated using an AES-128-based procedure developed by the company behind the device. More information can be found in the documentation, on page 31 onwards.
The company behind the device, Yubico, is currently selling a pre-production version of its NFC-capable token aimed at developers for $50. Production of the final consumer version should start in the fourth quarter of this year.