If you work in web development, chances are you’ve heard about a nifty little device called “Yubikey” that is becoming widely adopted as a simple and secure form of two-factor authentication.

Yubikeys (pictured above) are small hardware devices that can be inserted into your computer’s USB port, or touched to the back of a NFC device, and generate securely random one-time passwords that can be used as a second factor in authentication schemes.

Today, we’re going to take a look at how you can support two-factor authentication in your Node.js and Express.js web applications using Stormpath and Yubikey.

First Off: Why Yubikey for Two-Factor Authentication?

If you’re building a security-sensitive application, and want to ensure your end users are who they say they are — allowing your users to authenticate with a Yubikey device after logging in with their email address and password is a great way to ensure an extra level of security.

Yubikey devices generate securely-random passwords that are identifiable to each hardware key. This means that when a user authenticates with a Yubikey, you know they’re logging in with a strong, random password, that is 100% guaranteed to have been generated by the specific hardware key this user has previously registered with you.

Secondly, Yubikey secrets are never stored anywhere by any vendor. This means that, unlike SMS, for instance, there is significantly less risk for third parties to exploit two-factor authentication when a Yubikey is used.

Next, Yubikey devices are EASY for end users to use:

They are cheap (about $40 at the time of writing).

They require no software or drivers — you just insert it into your computer’s USB port.

They cannot be “hacked” by malicious software. To authenticate with a Yubikey device, the user must PHYSICALLY touch the small button on the Yubikey device. This ensures malicious software won’t “automatically” attempt to authenticate a user against their wishes.

On top of all the above, Yubikey devices comply with all the popular security standards for devices like this, and are used at lots of larger companies: Google, Facebook, Dropbox, etc.

To check out (or buy) Yubikey devices, visit their hardware page: https://www.yubico.com/products/yubikey-hardware/.

Next Up: Why Stormpath for User Management?

Storing user accounts securely is another pain point in modern web applications. There’s a lot of complexity in modeling out user schemas, group and role schemas, and making things work with existing authentication and authorization technologies like OAuth2, Basic Auth, Social Login providers, etc.

Stormpath makes storing user accounts, handling permissions and roles, and also integrating with other authentication technologies really simple and secure.

Also: the Stormpath Express.js library is amazing! And I’m not just saying that because I wrote it — cough cough. =)

Sign up for a free Stormpath account.

Getting Started with Yubikey Two-Factor Authentication

To get started, you’ll need to have a Yubikey device, as well as a Stormpath account. Assuming you have those two things ready to go, let’s clone the example project and get going!

git clone https://github.com/rdegges/express-sample-yubikey-tfa.git 1 2 git clone https : //github.com/rdegges/express-sample-yubikey-tfa.git

Next, go into the new project folder you just cloned from Github, and take a look around.

This is a full Express.js web application that shows how two-factor authentication works with Stormpath and Yubikey.

To run the example project, you’ll need to do a few things.

First, you’ll want to install all of the Node dependencies:

npm install 1 2 npm install

Secondly, you’ll want to go get a Yubikey developer API key (no sign up necessary) — just visit this page: https://upgrade.yubico.com/getapikey/

Once you’ve gotten a Yubikey API key, you’ll need to put those credentials into environment variables so the Node project can use them later on:

export YUBIKEY_CLIENT_ID=xxx export YUBIKEY_CLIENT_SECRET=xxx 1 2 3 export YUBIKEY_CLIENT_ID = xxx export YUBIKEY_CLIENT_SECRET = xxx

Finally, you’ll need to generate a Stormpath API key (once you log into Stormpath, you can generate an API key by clicking the big API key button), as well as create a Stormpath Application on the Applications Page.

You’ll then need to set some Stormpath environment variables so the Node app knows how to talk to Stormpath:

export STORMPATH_CLIENT_APIKEY_ID=xxx export STORMPATH_CLIENT_APIKEY_SECRET=xxx export STORMPATH_APPLICATION_HREF=https://api.stormpath.com/v1/applications/xxx 1 2 3 4 export STORMPATH_CLIENT_APIKEY_ID = xxx export STORMPATH_CLIENT_APIKEY_SECRET = xxx export STORMPATH_APPLICATION_HREF = https : //api.stormpath.com/v1/applications/xxx

NOTE: The Stormpath Application href will be visible to you once you create an Application on the Stormpath Applications page above.

Finally, you should be able to run the example project — just navigate to http://localhost:3000 in your browser to get started.

Go through the registration and login workflow. You should see something like this:

Cool, right?!

How Yubikey Two-Factor Authentication Works with Stormpath

Here’s how user registration works:

When a new user registers for your site, they will have a Stormpath Account created.

Next, the new user will be forced to register a Yubikey device with their account as a second authentication factor. This process makes the user insert their Yubikey into their computer, and tap the button.

Once the Yubikey has been successfully registered with the user’s Stormpath Account, they will be allowed into the website.

Here’s how user login works:

When a user logs into your site, they’ll be prompted for their email address and password.

Once this information has been validated, the user will be prompted to insert their Yubikey device and tap the button to verify themselves.

Once the user has been verified via Yubikey, they will be allowed into the website.

As you can see, there’s a two step process. The user must have a normal user account as well as a registered Yubikey device.

Behind the scenes, when a user registers their Yubikey device after there account has been created, we’ll do two things:

We’ll verify that the Yubikey device is legitimate.

We’ll grab the Yubikey’s unique User ID, and store it in the user’s Stormpath Account. This way we know in the future that when a user authenticates, that they are authenticating with the CORRECT Yubikey device. Each Yubikey has a unique ID associated with it.

When a user logs in, a similar process occurs: we verify the Yubikey password, then ensure that the Yubikey ID is the one we previously stored in the user’s Stormpath Account. Only then do we allow the user to log in.

To explore the code, and see how this works in detail, be sure to check out the project’s Github repository!

Secure Two-Factor Authentication with Node.js and Yubikey

Adding secure two-factor authentication to your site doesn’t have to be hard. Not only is the Yubikey device really easy to pair with any existing authentication systems, but it also gives your users a really secure way to prove their identity easily.

If you’re looking to build a secure site, I’d highly recommend checking out both Yubikey and Stormpath.

Got any questions? Drop a comment below. If you’d like to learn more about the Stormpath Express.js library, check out the articles below: