For a noob like me, I am thinking to get a Yubikey. What will happen if I lose my Yubikey? Am I essentially out of luck assuming the admins can’t reset my password or associated yubikey device?
How do I prevent such scenario from happening? Is there truly a fool proof way of hardware authentication?
Buy 3 keys. Register all of them to your account.
Then register all of them to your spouses account too.
Put one on your keychain. Put one on your spouses keychain. Put one in a safe place.
By enrolling my spouse and cross registering all keys, both of us are safe. We might loose our keychain, but we will always find each other, even when we are traveling.
This works for Google and GitHub, but not every service allows for multiple keys. But this should be a no-brainer imho.
That's all well and good, but a few weeks later I have another service I'm going to sign up for... I have to... first go to my safe deposit box to grab my third key? If I don't, then seems like it's a lot of bookkeeping.
Needless to say, I don't use these devices on my home depot account. I use them for Google, Github, Dropbox, I don't actually remember anything else. My DNS registrar doesn't support it :P
I also don't use my personal key for work stuff and recovering my work key is my sysadmins problem :)
That said, when I had admin accounts at work, we used TOTP with a similar scheme: when we registered important (admin) accounts we shared the second factor (the QR code) between 2 people and sometimes I printed the QR code itself. This works for AWS, gsuite, github, etc. I still receive calls from old colleges for TOTP codes occasionally :)
I actually just changed my DNS registrar to namecheap specifically because it supports U2F. I figure my domain is too important to risk losing because I use my domain for email.
You don't need to make it as elaborate as 'safe deposit box' or 'implanted into spouse' and most accounts that matter have other ways of recovery, e.g. an app-based authenticator, one-time recovery codes (a recovery code is something you might want to stick in a safe deposit box). You can just get, say, three hw keys, put one on a keychain another somewhere on your desk and a third in a drawer somewhere.
This is vulnerable to a house fire/other natural disaster. In general, I recommend having at least one thing offsite - whether that’s in a security deposit box, with a trusted friend or family member, in your desk at the office, or whatever.
The tech exists. My neighbor works for a company that does encoding of data on packaging. Goal is that every cereal box on the grocery aisle can be individually tracked.
No, it does not mean that. At least in my experience, every service where I have multiple YubiKeys registered still requires my username and password. Without those, someone who stole the YubiKey would not be able to login to my accounts.
So, the "something you have" element of security is to primarily avoid remote compromise. And even make local compromise require an additional theft step.
If the hacker gets your key, and your password it's game over.
But hacking the password will take some time hopefully, and systems usually have retry limits etc. so if you discover your lost key, you hopefully have some time to revoke the lost key.
I personally would not use it for password-less login, as it is only good as a second factor.
If your threat model includes any real likelihood of people capable of stealing your keys and cracking your passwords, then 2FA is only a small part of the opsec you need.
Yubikey still acts as a second factor, so for the average person's threat model this should be fine provided you use strong, unique passwords for your accounts (i.e. a password manager). 1Password supports U2F as a second factor to access your account, but you still need to know your secret key and master password; you cannot decrypt your vault with only a hardware token.
They need my password too, so they’ll have to have cracked my 1Password account as well. My third key is indeed in a safe, but it’s not special in any way.
I've been troubled by that question too. Especially since I've heard people complain about sites that only allow registering one key. But TacticalCoder just said something really interesting in another part of this conversation:
> you can use the Ledger Nano S with your "seed" (say a 256-bit secret, stored as 24 words you hide), to log in sites using U2F.
> Additionally as long as you've got your secret, you can reinitialize your Nano S (or another one) as a new U2F device and there's no need to reset your U2F credentials on the site as the newly initialized device shall work exactly as if it was the old one.
If I read that right, some keys rather than having a hardcoded unique seed, will let you set your own. Which implies you can have multiple functionally-identical backup keys locked up securely somewhere. If true, that significantly reduces key loss anxiety, and increases my interest in hardware MFA.
Anyone know which keys support this (aside from the mentioned Nano S and Trezor)? What's the magic keyword to look for in specs?
> If I read that right, some keys rather than having a hardcoded unique seed, will let you set your own.
Set your own or generate one for you, using an hardware CSPRNG, and then let you write it down in a convenient way (24 words out of a dictionary of 2048 words, so 264 bits: 256 bits of entropy plus 8 bits of checksum. Heck, you can use 12 or 18 words too. I think the (BIP39 / BIP44) standard even allows for 15 words but Ledger does only support lists of 12/18 and 24 words although don't quote me on that).
> Which implies you can have multiple functionally-identical backup keys locked up securely somewhere.
I don't even bother having multiple devices ready to use. I simply store the seed (once again: as a list of 12/18 or 24 words) on a sheet of paper and I store this in vaults/safes.
> Anyone know which keys support this (aside from the mentioned Nano S and Trezor)? What's the magic keyword to look for in specs?
I've got a Ledger Nano S only for this. It's really a nice little device. I don't work for Ledger btw! They're a bit pricey but, indeed, the anxiety of getting locked out of your account or having through crazy procedures goes away.
It's a pricey little device but not that crazy expensive: about 60 USD I think.
> What's the magic keyword to look for in specs?
I don't know but the U2F "nano app" does work with Google and other sites and I know that Ledger is working on the more recent Webauthn support.
You can tell the device you want a new random secret (so now your existing credentials don't work), but you can't get the secret out (obviously bad guys would use that, so it would be a terrible idea) neither can you set the current one to an explicit value.
Evidently the way I wrote this previously wasn't clear enough, so I have attempted to improve this text.
No, you can have a random new value (effectively like you bought a different one), but you won't learn what that is, so it doesn't help you and there's no way to "keep the secret hidden somewhere" except in the sense that it's hidden inside the device where it belongs.
When you enable 2FA with security keys you have 2 options, let's call them the easy and the strong.
The easy. Add both a security key and OTP (e.g. Google Authenticator). You have 1 rule to strictly adhere: if you click on a link, you MUST use the security key, because that's the one that protects you against phishing. When you don't have your security key, you can just use OTP provided that you typed the url and not clicked on it from email/text.
The strong. You enable 2+ security keys. You keep one in a safe at home. You always use a security key to sign in. On your Google account you can also enable Advanced Protection, that's essentially this plus some extra restrictions to API access.
For anyone reading this and considering Advance protection, know that it causes a ton of problems with google home and other applications. I made the mistake of setting up google home with my primary google account. Which is necessary to get YouTube premium / YouTube music / YouTube TV (all associated with that account), plus all of my smart home devices that have been set up with that account over time. So when you flip on google advance protection, all of that breaks.
It’ll be a weekend project to convert over all of my smart home devices and automation away from my primary email account and transition it to a home media account. Then I will turn on google advance protection. Advance protection also puts a delay on logging into the system if you are locked out / some extra restrictions.
Until then I’m just using the key but not advanced protection. If I were starting fresh (a new smart home / google services), I’d make an email just for that and use my original address (a clean name with no numbers from 2004) strictly for mail / financial passwords / high priority accounts. The divide that I would do is smart home / subscription services used by the family gets the lower security one, everything else is high security.
I’d be interested to hear how others deal with this problem.
0. This mostly matters for the accounts that need to be particularly secure (eg email, maybe GitHub or Facebook or Twitter depending on how much you care about them). Also accounts for money if they offer this kind of security.
1. Set up a yubikey. Try to only ever use the yubikey for logging in.
2. Set up some account recovery codes, print them out, put them in a safe place (ie somewhere that you don’t live or work, though you could probably also keep copies there. If you have a folder of personal and account information ready in case you die unexpectedly, put it there too)
3. Set up Google Authenticator on an iPhone so you can get in if you don’t have access to your keys. You should treat these more like the recovery codes than the yubikey—be very careful about entering the name of the website and checking the certificate because they won’t protect you from phishing.
> Also accounts for money if they offer this kind of security
This is something that astonishes me. So many financial institutions still have:
- (low) max length limits on passwords
- restrictions like no special chars in passwords, or exactly this many numbers etc
- over reliance on a pin where a password would be more suitable
- no 2fa, or at best SMS based 2fa
- ridiculous security questions as if someone's favourite colour etc is drawn from a large pool of values
As a developer I can guess that most of these restrictions are probably stemmed from a mountain of tech debt, but I would've expected this to be a priority for such companies. It makes me wonder if they are bound to follow some outdated regulations or something preventing them from doing better
This is not a bad question, but it is one that keeps getting asked on this topic. I really think standards like WebAuthn should more explicitly provide an appendix about account recovery, even if that is out of scope of the technical standard.
As others have pointed out, account recovery should always be provided in some form. A common way seems to be the use of a one-time password that can be used to regain access.
What I'd really like is a clear best practice for this for developers to implement though. It doesn't help if your authentication method is strong when the recovery option has glaring security holes in it. It now looks like every site that uses WebAuthn just rolls its own recovery solution.
I've settled on OnlyKey (https://crp.to) because it's OSS and you can back it up and restore. Backup can be GPG encrypted.
24 slots, programmable to store URL, U/N, P/W, 2FA, with the ability to click the address bar in a browser, hit a key on the OnlyKey and watch as it types it all in without any other interaction.
It stores MANY types of auth.
Not affiliated, but a very happy user.
It's a device you'll learn more about as you use it, but YubiKey functionality is achieved in a couple of minutes.
I'm not sure I come away from that discussion with less confidence.
The dev managed to answer everything put to them with alacrity.
The question of code quality was of no consequence as even ugly code can work, and it's got more eyes on it than closed source.
In my threat theatre this device is far more than adequate for securing GitHub, GOOG, and a couple of GPG/ssh keys.
Should I ever becaome a spy, I'll probably revert to speaking to strangers about how red sparrows fly at certain times of day again.
A hardware key is a resilient tool which can be taken out of the house, safe in the knowledge that no one can crack it open and get the keys inside.
You can have other forms of authentication — PostIts with backup OAUTH codes, console passwords, root password etc — but those have to stay at home in the vault because a piece of paper in the outside world is too dangerous to lose.
You want both. You’ll lose your hardware keys eventually.
You're out of luck, modulo extra keys and a recovery mechanism.
Most services let you register multiple devices. I typically use a Yubikey nano and a regular Yubikey. Then I have a backup on my keyring, but don't have to get it out every time. With WebAuthn becoming more popular, you can also use things like Windows Hello, Face ID, etc. Generally, I try to register all of those methods, and then if one device fails, I still have plenty of backups. But, some services don't let you register multiple devices (AWS comes to mind). In that case, you'll have to make sure you have a backup recovery method. (And those recovery methods obviously reduce the security of your account, SMS is notoriously weak.)
For services where no admin can get your access back, like most websites, a 3rd factor should be a compulsory part of 2FA. There's a balance between keeping hackers out and keeping yourself out. The more factors you require, the more optional factors you should also require users to have, not just optional codes but "you must write these codes down, we'll check later to make sure you did" or something like that.
not just optional codes but "you must write these codes down, we'll check later to make sure you did" or something like that.
...which people will still not do, or misplace/erase due to disuse, etc.
Security and availability are always at odds with each other. The question that you should always have when choosing a level of security is "does the risk of denying everyone access --- including myself --- outweigh the risk of someone other than myself gaining access?"
Isn't minimising the "I lost them/forgot where I put them" scenario the point of checking you still have them (not just asking - checking eg by saying "enter one of the codes")? That way, if you don't have them, you can print a new set of backup codes while you still have your "normal" second factor to hand.
Yes, you do need a backup way of getting in. Some websites will let you print out some one-time-use codes that you can store in a strongbox. (This is cheaper than buying two Yubikeys.)
You could also get 2 Yubikeys, but might be out of luck if the website doesn't support that.
(Also, some Android phones can act as a hardware key.)
I use YubiKeys for just about everything, the easiest solution is to simply have multiple keys. I have 3 total, gathering them all together once a year to renew the gpg key isn't a real issue and after the initial setup I don't find myself enrolling new services regularly.
How do I prevent such scenario from happening? Is there truly a fool proof way of hardware authentication?