Jump to content


2-factor authentication using YubiŽ-type keys

2-factor security yubi key

  • Please log in to reply
14 replies to this topic

#1 OFFLINE   Jeber

Jeber

    Still Version 1.0 beta

  • Forum Moderators
  • 4,639 posts

Posted 23 February 2019 - 03:48 PM

One thing about computer technology; no matter how long you've been around, something new will always come along to make you feel like you don't understand a thing.

I'm all in favor of 2-factor authentication. I've long appreciated the weakness of passwords. But a recent incident involving a very popular password manager service, which I've used for over a decade and won't name because nothing that happened was their fault, I realized that there are serious shortcomings with depending on relying on 2-factor authentication that uses codes sent to you via text message or codes generated with a generator stored on your mobile device.

The only fool-proof method of 2-factor authentication available at the moment is to use a physical key, sold under brand names like Yubi® keys and easily available from Amazon or, now, Google. You still use a username and password on each site you want to make extra secure but you also need a physical key that, by USB, WiFi, Bluetooth or NFC, "unlocks" that site and allows access. Anyone else without your key but in possession of your username and password wouldn't be able to log in to the site.

Now that comprises just about everything I understand about these keys. Despite owning a set of USB and WiFi keys, I know little about actually using them. If just owning them made me more secure, I'd be all set. Unfortunately...

My primary question is; Are these keys used the same way a password manager is? In other words, can my credentials from multiple sites be stored on them? Every explanation I've seen in print or video relates to using them to secure a single, usually Google, account. But can I use a single key to access any site that lets me use one for 2-factor authentication? Another way to ask the same question, is the key assigned to me as an individual or is it assigned to the site I first use it on? If I register it as a device to allow me access to my bank does it erase the credentials that allow me to access my Gmail, or will it authenticate me on any site where I've registered it as me? I can't imagine the developers expect us to carry a key for each service we want to use one for, but there are a lot of things I can't imagine that turn out to be the case.
He was a dreamer, a thinker, a speculative philosopher, an idiot
(Douglas Adams)

#2 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,580 posts

Posted 23 February 2019 - 03:51 PM

So the yubi keys are only used to generate the 2 factor passcode, not to store the passwords. I use Bitwarden as my password manager but Lastpass works as well. Both of these encrypt your passwords locally before it is sent to them and they both support yubikey natively. So you keep the encryption key (yubikey plus your master password).

BTW I have used yubikey for the last 8 years now and keep the key on my person at all times (wallet).

Also, you can set up Yubikey to act as a 2FA on your computer as well using PAM.
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#3 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,580 posts

Posted 23 February 2019 - 03:58 PM

https://www.yubico.c.../catalog/linux/
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#4 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,580 posts

Posted 23 February 2019 - 04:06 PM

I just reread your post... Like I mentioned above, you use the yubikey in-conjunction with the password manager of your choice.
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#5 OFFLINE   Jeber

Jeber

    Still Version 1.0 beta

  • Forum Moderators
  • 4,639 posts

Posted 23 February 2019 - 04:10 PM

I'm hoping to get all things like this written down before senility finally claims me. :blink:

So basically, the key is providing a code similar to that generated by the Google/Microsoft/LastPass authenticator? That makes sense. So I can "register" it on any site that allows that form of 2-FA?
He was a dreamer, a thinker, a speculative philosopher, an idiot
(Douglas Adams)

#6 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,580 posts

Posted 23 February 2019 - 04:14 PM

View PostJeber, on 23 February 2019 - 04:10 PM, said:

I'm hoping to get all things like this written down before senility finally claims me. :blink:

So basically, the key is providing a code similar to that generated by the Google/Microsoft/LastPass authenticator? That makes sense. So I can "register" it on any site that allows that form of 2-FA?

Correct! The difference is that this is a physical key so someone would have to take the key from you and then know your master password to your password manager accounts your accounts.

I prefer to use the diceware method to generate very secure master passwords for my vault, preferably a 5-6 word phrase including spaces. You just need a pair of dice and the diceword list. 5 words taken from a list of over 7,000 words, all chose by random rolling dice.

Like someone would have to take my wallet out of my pocket to get the key and then would have to beat me until I gave up my master password to get access my vault of passwords... Good luck with that B)
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#7 OFFLINE   Digerati

Digerati

    Message Mogul

  • Members
  • PipPipPipPipPip
  • 277 posts

Posted 23 February 2019 - 04:27 PM

Quote

But a recent incident involving a very popular password manager service, which I've used for over a decade and won't name because nothing that happened was their fault,
It may not have been their fault, but that does not mean password managers cannot be flawed. See Severe vulnerabilities uncovered in popular password managers.

There is no such thing as a fool-proof method - emphasis on "fool". What do you do with this physical key when you take your family out to dinner or go to bed? Take it with you everywhere you go? Put it under your pillow at night?  "Hide" it under your keyboard? Or in a drawer in your computer desk?

People often totally neglect "physical" security when they think of computer security.

What happens if a bad guy breaks into your home and steals your computer? Granted, most likely 99% of those thefts are by someone looking for drug money and they are just looking to sell the hardware. But savvy badguys know the big money is in your data. The smart badguy will sit at your desk and search everything within arm's length of your computer chair looking for your sticky note with your passwords (or the master password to your manager). They will grab not just your computer but your backup drives and any USB drive, including USB passkeys, within reach.

My biggest problem is I'm not glued to my cell phone. So getting a text message with a temporary 2FA passcode is not convenient for me. That leaves email. And while most of the time these days, those emails come in almost immediately, some times they are not so quick. And I know of a couple sites that only used 2FA with text messaging - no email option. So 2FA adds yet another layer of inconvenience. :(

I still think biometrics is the way to go - but it has a way to go to become "fool" proof too.

And of course, what good is your password and 2FA if "fools" at your bank, Equifax, Facebook, Amazon, Yahoo, etc. fail to apply patches in a timely manner? Or store your passwords and credit card information in the clear (not encrypted)? Or otherwise fail to properly secure their networks with your personal data on it? :rant: :rant: :angry2: :angry2: :rant: :rant:

I think the only fool proof... err... fool resistant solution is to apply mitigation logic. That is, assume the sites you access WILL be hacked! And with that in mind use strong passwords or better yet, strong passphrases and never, as in NEVER EVER use the same password (or phrase) on more than one site.
Posted Image Bill (AFE7Ret)
Freedom is NOT Free!
Posted Image Windows and Devices for IT, 2007 - 2018

Heat is the bane of all electronics!

____________________________________________

#8 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,580 posts

Posted 23 February 2019 - 04:32 PM

Yeah but that does not mean that you give up on trying to be secure. Clearly nothing is fool proof but that doesn't mean that you do not try. Most people would have no clue what a flat usb drive in my wallet it for. If my wallet is stolen, I can easily switch to another key.

And also, none of that matters as they still cannot get my master password.
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#9 OFFLINE   Digerati

Digerati

    Message Mogul

  • Members
  • PipPipPipPipPip
  • 277 posts

Posted 23 February 2019 - 04:40 PM

Quote

Yeah but that does not mean that you give up on trying to be secure. Clearly nothing is fool proof but that doesn't mean that you do not try.
Of course! The user is, was, and always will be the weakest link in security. So we must still do our part. And IMO, that means using a password manager. Don't write down the password to your password manager. Use strong passwords, and use unique passwords for every account.

Quote

And also, none of that matters as they still cannot get my master password.
And that's great, as long as that password is not your dog's name, or your kid's birthday or something your whizkid neighbor or nephew could easily guess.
Posted Image Bill (AFE7Ret)
Freedom is NOT Free!
Posted Image Windows and Devices for IT, 2007 - 2018

Heat is the bane of all electronics!

____________________________________________

#10 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,580 posts

Posted 23 February 2019 - 04:43 PM

View PostDigerati, on 23 February 2019 - 04:40 PM, said:

Quote

Yeah but that does not mean that you give up on trying to be secure. Clearly nothing is fool proof but that doesn't mean that you do not try.
Of course! The user is, was, and always will be the weakest link in security. So we must still do our part. And IMO, that means using a password manager. Don't write down the password to your password manager. Use strong passwords, and use unique passwords for every account.

Quote

And also, none of that matters as they still cannot get my master password.
And that's great, as long as that password is not your dog's name, or your kid's birthday or something your whizkid neighbor or nephew could easily guess.

Like I mentioned above, I use the diceware method with 5 words including spaces generated by this method.
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#11 OFFLINE   Digerati

Digerati

    Message Mogul

  • Members
  • PipPipPipPipPip
  • 277 posts

Posted 23 February 2019 - 04:55 PM

I agree. Phrases are more secure.
Posted Image Bill (AFE7Ret)
Freedom is NOT Free!
Posted Image Windows and Devices for IT, 2007 - 2018

Heat is the bane of all electronics!

____________________________________________

#12 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,580 posts

Posted 23 February 2019 - 04:56 PM

Indeed :thumbsup:
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#13 OFFLINE   zlim

zlim

    It's me, plodr

  • Forum MVP
  • 7,220 posts

Posted 24 February 2019 - 02:58 PM

Quote

What do you do with this physical key when you take your family out to dinner or go to bed? Take it with you everywhere you go? Put it under your pillow at night?  "Hide" it under your keyboard? Or in a drawer in your computer desk?
  What happens if the key breaks? What happens if the USB ports stop working/? I've seen posts of both problems onm forums. They were not YUBI keys but USB sticks that the user desperately needed to get data from.

Do you buy 2 keys and have everything on each key so if 1 breaks, you'll still be able to get into the site?
Liz
Registered Linux User # 401459
Posted Image

#14 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,580 posts

Posted 24 February 2019 - 03:02 PM

View Postzlim, on 24 February 2019 - 02:58 PM, said:

Quote

What do you do with this physical key when you take your family out to dinner or go to bed? Take it with you everywhere you go? Put it under your pillow at night?  "Hide" it under your keyboard? Or in a drawer in your computer desk?
  What happens if the key breaks? What happens if the USB ports stop working/? I've seen posts of both problems onm forums. They were not YUBI keys but USB sticks that the user desperately needed to get data from.

Do you buy 2 keys and have everything on each key so if 1 breaks, you'll still be able to get into the site?

They are not writeable like most USB sticks, so they do not get corrupted . I've had one in my wallet for many years and it hasn't broken. If you lost or broke one, you simply register a new one with each site. There is always a backup set of codes for 2FA devices and your password manager.
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#15 OFFLINE   Digerati

Digerati

    Message Mogul

  • Members
  • PipPipPipPipPip
  • 277 posts

Posted 24 February 2019 - 03:30 PM

Quote

What happens if the USB ports stop working/?
That's a good point. There are lots of reports of USB ports not recognizing devices when they get plugged in.

Quote

They are not writeable like most USB sticks, so they do not get corrupted .
I don't think the problem would be with the key itself (as long as not lost). But again, the USB ports on the computer.

I personally would not be worried about permanently getting locked out of any site due to a lost or broken key.
Posted Image Bill (AFE7Ret)
Freedom is NOT Free!
Posted Image Windows and Devices for IT, 2007 - 2018

Heat is the bane of all electronics!

____________________________________________





Also tagged with one or more of these keywords: 2-factor, security, yubi key

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users