Every year or so I try to figure out if a 2fa device practically has sufficient support that using it would improve my security. The answer has always been no.
No 2fa device has sufficient support that it could increase the security of my 1password account, which I use on Linux and Android. No 2fa device has sufficient support that it could be used to unlock the lockscreen of any of my devices either.
Edit: There is a way to use a Yubikey to decrypt Linux full-disk encryption. It relies on an abandoned personal GitHub project. Sounds fun, but not sufficiently secure it's worth spending more than $100 to allegedly improve my security with it.
Your phrasing is odd. 2FA devices do not support websites. Websites support 2FA options. The problem isn't 2FA devices, but services not supporting 2FA. U2F/FIDO are standard at this point and many tech-related services support them; certainly, effectively all 2FA devices support them.
2FA is redundant for unlocking physical devices. Access to the device itself is already a second factor.
The point of 2FA is that someone MUST physically take something from you to gain access, which greatly limits attack vectors. If you use 2FA properly, the only thing you need to worry about for account security is whether you still have your 2FA key on you.
Yes, but not for anything where keeping the SSH private key more secure than my AWS/DigitalOcean credentials would be useful. And I store those credentials in 1Password, which doesn't have a sufficiently mature integration with Yubikey on Linux or Android.
I've found the Yubikey to be an incredibly easy way to do 2FA. I use a usb-c nano version and it pretty much never leaves my mac (and the mac never leaves me). I've found it faster to do 2FA on a large number of tech websites. Just touch the key and you're done.
I know 1Password can fill TOTP for you, but I like having my security spread across 1Password and Yubikey. In the unlikely event 1Password gets compromised they still need physical access to my computer.
I don't log onto the mac with Yubikey and it has full-disk encryption turned on, so I'm pretty happy with the attack surface.
Both yubikeys are configured to enter the same impossible to memorize password on a press to unlock 1Password, hid mode is supported by every device with a USB ports.
I also use them as an otp second factor when a site requires it.
Finally, they are configured with a x509 certificate that I use as my ssh keys. I generate one key per devices that way the secret never leaves it and I require a pin to unlock the key. For convenience, I use an ssh agent to cache the pin
I could also use them for pgp signature and encryption but I have no use case for that.
How do you configure Yubikey to enter password for unlocking 1password? Is this a Yubikey feature or 1password feature? Does this also work with mobile devices (phones)?
That is the hid mode parent is mentionning.
With ykman you can configure the Yubikey to simulate being a USB keyboard (Human Interface Device) and then "type" a static password. The default setting is to type a Yubico specific OTP that can be checked by calling an API. The issue with the static password is that anybody getting near the yubikey with a device having a USB port can steal the password in seconds.
And any accidental button-press while in a chat-app or website will leak your password. I've seen many yubikey otp's accidentally pasted into irc, if you set it to password, you just posted that. I'd never recommend using that mode.
Not sure if this answers your question, but you can use a Yubikey for FIDO2 on iOS with any iOS device with a USB port, or use the camera connection kit to make one on a Lightning port device.
Source: I was curious, so I used a camera connection kit to login to Okta with a Yubikey as my MFA last month.
This is definitely true but honestly I'd love more websites to switch everything around and use a password for the optional second factor.
Many messenger apps already do something like this (using your phone numbers as a first factor and using an optional password for account protection) and IMO the login flow is much easier for services that I don't care about.
Let me register and login with WebAuthn alone and I'll be very happy. You can even use the same logic you're already using for password resets, just re-enroll the FIDO key when someone clicks "I can't log in" and proces access to their email account. Immune to credential stuffing and many other digital attacks that can happen from the other side of the world while you're asleep!
Not quite. A second factor would allow me to reduce the complexity of my password while retaining the same level of security.
Without that the only benefit of a Yubikey over a strong password saved in a password manager is phishing protection, which I'm not willing to pay that amount of money for.
If you believe yourself essentially immune to phishing and password leakage, I don't think that you are very likely to be convinced that you should buy a Yubikey.
The place where they shine is when you have already acknowledged that you want (or have been forced by your employer to use) 2FA.
> Malware on a device where I'm logged into the service can use that authenticated session to access all the things I want protected.
Any well-secured service should protect critical actions with 2fa. “oh, are you sure you want to transfer all your funds? Please re-authenticate first”
So if your device is compromised, the attacker could trick you into entering 2FA for some minor action while it actually is transferring all your funds.
If your PC or smartphone is compromised nothing will prevent you from losing control of your accounts.
Yes, that is what I was trying to point out. With Yubikey or other 2FA devices you can not see the transaction details of what are you signing unless the device has a screen so a screenless device does not protect much more than this virtual yubikey.
Sure: Enough support so that my life becomes sufficiently easier or more secure to be worth the cost.
I know that's a bit wishy-washy, but for example I think I could replace my memorized 1password password with something longer if I never had to enter it from memory, which would only be the case if I could use the Yubikey on all my devices.
I use a yubikey with x509 cert and PIN for local auth to my Mac, and I use it for FIDO2 MFA everywhere that supports it, which includes my email account. That makes my email credentials radically more resistant to phishing, which is huge given that email is part of the recovery story for every other account.
If those aren’t enough, I guess yubikeys aren’t the right call for your threat model, which is fine.
I'd love to have that setup. The only problem is insufficiently mature support for the devices I use, Linux and Android. As I mentioned in an edit Yubikey local auth on Linux relies on a personal GitHub project abandoned years ago.
Bah, everything the GP described works perfectly in Linux. Yubikey local auth isn't just one Yubikey specific project. The Yubikey implements a fuckload of open protocols, the vast majority of which work perfectly in Linux.
Want local authentication? pam_u2f, pam_gpg, pam_x509 are all maintained.
The other person who replied to this seems to have gotten up on the wrong side of the bed, but the core of their suggestion is one I’d likewise recommend. I’m doing the yubikey local auth using the yubikey’s PIV applet, which holds standard x509 certs that can be used via pkcs11.
Mobile access is one of the reasons I hope a near term next gen iPhone has USB-C support directly. The lightning / usbc yubikey dongle is just too unwieldy in my experience.
You can use Yubikeys(most of them, the cheapest ones don't have that feature IIRC) as smartcards in addition to other features.
You can use smartcard in linux as both GPG key, and SSH key (via GPG SSH agent).
Which means leaking your private key for SSH is essentially impossible, as key can be generated on device which means it never leaves it, even if your machine gets compromised
I love the Yubikey even if it only locks down a few important accounts. For me, that's Google Accounts and Microsoft Accounts. These are the accounts I worry about this most because they are linked to so many other things.
I wish 1Password offered a high security, security key ONLY mode.
The thing that trips me up is the ability to make backups in the event it is lost/stolen. Seemingly not all services allow registering an additional key, and even if they do, the practicalities of juggling redundant fobs would be cumbersome.
> Seemingly not all services allow registering an additional key
I’ve only ever encountered that braindead design with AWS, every other place allows multiple keys.
And I can’t say I find multiple keys cumbersome, it’s simply the same procedure again: Click add, insert key and tap the button. Just twice instead of once.
Specifically, I want a backup key off-site. Anytime I enroll a new service, I need to retrieve my backup key from storage for the purposes of enrolling. Depending on how/where the backup is stored (bank box, parent's house across the country, etc) that would make the system less workable in practice.
I use it to store my gpg keys among other use-cases. The key provides a permanence and isolation. I can't accidentally delete it without trying and the button needs to be pressed to access the key. I like these trait.
I think a huge benefit of 2fa, one of the main purposes of it, was for securing accounts with weak passwords. Back in the days before password managers etc. I think these days password managers actually deprecate the need for 2fa
Multiple layers are always better. If your computer or browser is compromised, then your password manager's secrets have been pwned, but with 2FA your accounts are still safe (assuming the 2FA is on a separate device, which it really should be)
There's also non-tech users to consider. It's pretty hard to convince users to use a password manager; plenty of people still re-use the same password across sites. It's impossible to prevent that. But it is possible to enforce 2FA for _your_ site.
Your first example is interesting, but it's much more limited than you describe. The attacker can't use your credentials to authenticate their own session, but they have complete control over the authenticated session on your laptop. I can't think of an account I have where that would be meaningfully less bad.
The attacker has access to all of your authenticated sessions on your compromised laptop. They don't have access to any un-authenticated accounts which have 2FA enabled.
Passwords are an antipattern. Password managers are just a crutch to make it less painful.
Password recovery is often done through the phone via SMS (health care/banking) when a 2FA hardware key would be safer. And since you're implementing 2FA, just remove the password, and ask the user to use the 2FA key.
I think my favorite example of using SMS in the least sane way possible is PayPal.
I have a hardware key AND an authenticator app active for the account, but they STILL won't let me send transactions without entering a code sent to my phone number. And actually, not even then, because even though I receive the code fine, they say they can't authenticate me and don't give me a chance to enter it. Yes, it's a VOIP number, but it's been the same VOIP number for the 10 years I've had the account. It's not like it's new.
I needed to recover my user account / password through Voya recently for a corporate 401k.
They needed to send me 3(!) SMS messages in the process. One to get the username (with a valid email address). One more to request to change the password. And one more to actually change the password.
Every now and then you hear about a leak at some company that was storing passwords in clear text. Thanks to password managers this only affects that one site, but it still makes me thankful for 2FA.
I don't understand the threat model there. Wouldn't nearly all hacks that lead to plain text passwords also allow the hacker to access all the login-protected data, making a more secure login process pointless?
Every year or so I try to figure out if a 2fa device practically has sufficient support that using it would improve my security. The answer has always been no.
No 2fa device has sufficient support that it could increase the security of my 1password account, which I use on Linux and Android. No 2fa device has sufficient support that it could be used to unlock the lockscreen of any of my devices either.
Edit: There is a way to use a Yubikey to decrypt Linux full-disk encryption. It relies on an abandoned personal GitHub project. Sounds fun, but not sufficiently secure it's worth spending more than $100 to allegedly improve my security with it.