Jump to content

2-factor authentication using Yubi®-type keys


Jeber

Recommended Posts

One thing about computer technology; no matter how long you've been around, something new will always come along to make you feel like you don't understand a thing.

 

I'm all in favor of 2-factor authentication. I've long appreciated the weakness of passwords. But a recent incident involving a very popular password manager service, which I've used for over a decade and won't name because nothing that happened was their fault, I realized that there are serious shortcomings with depending on relying on 2-factor authentication that uses codes sent to you via text message or codes generated with a generator stored on your mobile device.

 

The only fool-proof method of 2-factor authentication available at the moment is to use a physical key, sold under brand names like Yubi® keys and easily available from Amazon or, now, Google. You still use a username and password on each site you want to make extra secure but you also need a physical key that, by USB, WiFi, Bluetooth or NFC, "unlocks" that site and allows access. Anyone else without your key but in possession of your username and password wouldn't be able to log in to the site.

 

Now that comprises just about everything I understand about these keys. Despite owning a set of USB and WiFi keys, I know little about actually using them. If just owning them made me more secure, I'd be all set. Unfortunately...

 

My primary question is; Are these keys used the same way a password manager is? In other words, can my credentials from multiple sites be stored on them? Every explanation I've seen in print or video relates to using them to secure a single, usually Google, account. But can I use a single key to access any site that lets me use one for 2-factor authentication? Another way to ask the same question, is the key assigned to me as an individual or is it assigned to the site I first use it on? If I register it as a device to allow me access to my bank does it erase the credentials that allow me to access my Gmail, or will it authenticate me on any site where I've registered it as me? I can't imagine the developers expect us to carry a key for each service we want to use one for, but there are a lot of things I can't imagine that turn out to be the case.

  • Like 1
Link to comment
Share on other sites

securitybreach

So the yubi keys are only used to generate the 2 factor passcode, not to store the passwords. I use Bitwarden as my password manager but Lastpass works as well. Both of these encrypt your passwords locally before it is sent to them and they both support yubikey natively. So you keep the encryption key (yubikey plus your master password).

 

BTW I have used yubikey for the last 8 years now and keep the key on my person at all times (wallet).

 

Also, you can set up Yubikey to act as a 2FA on your computer as well using PAM.

Link to comment
Share on other sites

I'm hoping to get all things like this written down before senility finally claims me. :blink:

 

So basically, the key is providing a code similar to that generated by the Google/Microsoft/LastPass authenticator? That makes sense. So I can "register" it on any site that allows that form of 2-FA?

  • Like 1
Link to comment
Share on other sites

securitybreach

I'm hoping to get all things like this written down before senility finally claims me. :blink:

 

So basically, the key is providing a code similar to that generated by the Google/Microsoft/LastPass authenticator? That makes sense. So I can "register" it on any site that allows that form of 2-FA?

 

Correct! The difference is that this is a physical key so someone would have to take the key from you and then know your master password to your password manager accounts your accounts.

 

I prefer to use the diceware method to generate very secure master passwords for my vault, preferably a 5-6 word phrase including spaces. You just need a pair of dice and the diceword list. 5 words taken from a list of over 7,000 words, all chose by random rolling dice.

 

Like someone would have to take my wallet out of my pocket to get the key and then would have to beat me until I gave up my master password to get access my vault of passwords... Good luck with that B)

Link to comment
Share on other sites

But a recent incident involving a very popular password manager service, which I've used for over a decade and won't name because nothing that happened was their fault,
It may not have been their fault, but that does not mean password managers cannot be flawed. See Severe vulnerabilities uncovered in popular password managers.

 

There is no such thing as a fool-proof method - emphasis on "fool". What do you do with this physical key when you take your family out to dinner or go to bed? Take it with you everywhere you go? Put it under your pillow at night? "Hide" it under your keyboard? Or in a drawer in your computer desk?

 

People often totally neglect "physical" security when they think of computer security.

 

What happens if a bad guy breaks into your home and steals your computer? Granted, most likely 99% of those thefts are by someone looking for drug money and they are just looking to sell the hardware. But savvy badguys know the big money is in your data. The smart badguy will sit at your desk and search everything within arm's length of your computer chair looking for your sticky note with your passwords (or the master password to your manager). They will grab not just your computer but your backup drives and any USB drive, including USB passkeys, within reach.

 

My biggest problem is I'm not glued to my cell phone. So getting a text message with a temporary 2FA passcode is not convenient for me. That leaves email. And while most of the time these days, those emails come in almost immediately, some times they are not so quick. And I know of a couple sites that only used 2FA with text messaging - no email option. So 2FA adds yet another layer of inconvenience. :(

 

I still think biometrics is the way to go - but it has a way to go to become "fool" proof too.

 

And of course, what good is your password and 2FA if "fools" at your bank, Equifax, Facebook, Amazon, Yahoo, etc. fail to apply patches in a timely manner? Or store your passwords and credit card information in the clear (not encrypted)? Or otherwise fail to properly secure their networks with your personal data on it? :rant: :rant: :angry2: :angry2: :rant: :rant:

 

I think the only fool proof... err... fool resistant solution is to apply mitigation logic. That is, assume the sites you access WILL be hacked! And with that in mind use strong passwords or better yet, strong passphrases and never, as in NEVER EVER use the same password (or phrase) on more than one site.

Link to comment
Share on other sites

securitybreach

Yeah but that does not mean that you give up on trying to be secure. Clearly nothing is fool proof but that doesn't mean that you do not try. Most people would have no clue what a flat usb drive in my wallet it for. If my wallet is stolen, I can easily switch to another key.

 

And also, none of that matters as they still cannot get my master password.

Link to comment
Share on other sites

Yeah but that does not mean that you give up on trying to be secure. Clearly nothing is fool proof but that doesn't mean that you do not try.
Of course! The user is, was, and always will be the weakest link in security. So we must still do our part. And IMO, that means using a password manager. Don't write down the password to your password manager. Use strong passwords, and use unique passwords for every account.

 

And also, none of that matters as they still cannot get my master password.
And that's great, as long as that password is not your dog's name, or your kid's birthday or something your whizkid neighbor or nephew could easily guess.
Link to comment
Share on other sites

securitybreach
Yeah but that does not mean that you give up on trying to be secure. Clearly nothing is fool proof but that doesn't mean that you do not try.
Of course! The user is, was, and always will be the weakest link in security. So we must still do our part. And IMO, that means using a password manager. Don't write down the password to your password manager. Use strong passwords, and use unique passwords for every account.

 

And also, none of that matters as they still cannot get my master password.
And that's great, as long as that password is not your dog's name, or your kid's birthday or something your whizkid neighbor or nephew could easily guess.

 

Like I mentioned above, I use the diceware method with 5 words including spaces generated by this method.

Link to comment
Share on other sites

What do you do with this physical key when you take your family out to dinner or go to bed? Take it with you everywhere you go? Put it under your pillow at night? "Hide" it under your keyboard? Or in a drawer in your computer desk?
What happens if the key breaks? What happens if the USB ports stop working/? I've seen posts of both problems onm forums. They were not YUBI keys but USB sticks that the user desperately needed to get data from.

 

Do you buy 2 keys and have everything on each key so if 1 breaks, you'll still be able to get into the site?

Link to comment
Share on other sites

securitybreach
What do you do with this physical key when you take your family out to dinner or go to bed? Take it with you everywhere you go? Put it under your pillow at night? "Hide" it under your keyboard? Or in a drawer in your computer desk?
What happens if the key breaks? What happens if the USB ports stop working/? I've seen posts of both problems onm forums. They were not YUBI keys but USB sticks that the user desperately needed to get data from.

 

Do you buy 2 keys and have everything on each key so if 1 breaks, you'll still be able to get into the site?

 

They are not writeable like most USB sticks, so they do not get corrupted . I've had one in my wallet for many years and it hasn't broken. If you lost or broke one, you simply register a new one with each site. There is always a backup set of codes for 2FA devices and your password manager.

Link to comment
Share on other sites

What happens if the USB ports stop working/?
That's a good point. There are lots of reports of USB ports not recognizing devices when they get plugged in.

 

They are not writeable like most USB sticks, so they do not get corrupted .
I don't think the problem would be with the key itself (as long as not lost). But again, the USB ports on the computer.

 

I personally would not be worried about permanently getting locked out of any site due to a lost or broken key.

Link to comment
Share on other sites

  • 2 years later...

10 Things You’ve Been Wondering About FIDO2, WebAuthn, and a Passwordless World


 

Quote

 

Are FIDO2 and WebAuthn the same thing? If not, how are they different?

FIDO2 is comprised of two standardized components, a web API (WebAuthn) and a Client to Authenticator Protocol (CTAP). The two work together and are required to achieve a passwordless experience for login. The earlier FIDO U2F protocol working with external authenticators is now renamed to CTAP1 in the WebAuthn specifications.

With Chrome and Firefox announcing WebAuthn API and CTAP1 support as the client, and Dropbox now integrating with the WebAuthn API, this has kicked off a flurry of integration activities by other services. Most recently, Microsoft Edge released support for WebAuthn API, CTAP1 and CTAP2, making it the browser with the widest authentication support.

 

 

😎

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...