I got a new Yubikey 4 - Are you interested in staying secure online?

techwg

Flashlight Enthusiast
Joined
May 4, 2007
Messages
1,268
Location
United Kingdom
https://www.youtube.com/watch?v=0sPBr8Yt6pU

This video covers my thoughts on the new Yubikey 4, what it's used for, what I use it for, why I like it etc.

Basically it's main purpose is two factor authentication but there are quite a few uses for these new ones. You may find it interesting if you are unaware of these little USB thumbdrive looking things.
 

terjee

Enlightened
Joined
Jul 24, 2016
Messages
729
Location
Bergen, Norway
I'm a huge fan of these.
A single key can hold keys for both PGP and SSH (smart card-style, so no extraction of private key), and still be used for two factor authentication with FIDO U2F (google, Dropbox, GitHub and so on, I think also Facebook now?).

FIDO U2F is a bit special in that it works with the browser (chrome, opera and soon Firefox) and links the 2FA-check to the domain used in the browser, providing extra security against phishing as well.
 

terjee

Enlightened
Joined
Jul 24, 2016
Messages
729
Location
Bergen, Norway
And what would happen if anyone steals that key? And that "anyone" has physical access to your terminal...

With most of the services Yubikeys are used with, it's used with FIDO U2F, which is a second factor authentication, not the whole authentication.

You can compare it to RSA tokens that spit out random-looking 6 or 8 digit numbers that change over time, and you use it together with a password.

Compared to that though, the Yubikey is using stronger cryptography, and you can use a single key with multiple services, without the different services knowing it's the same token. It's also stronger in that it signed specifically for the site you're at, providing significant protection against phishing.

Now, you're right that theft would be an issue, but no more with the Yubikey than an RSA token, and theft of the token alone gets you nowhere.

It's arguably somewhat safer from theft, because by using the same token with multiple services, you'd be a lot more likely to notice if the token went missing.

For things like SSH and PGP keys, you have password protection, including an attempt-counter, so the token can wipe itself if too many incorrect attempts are made.

If an attacker has physical access to terminal, and sufficient skills and resources, I'd be f*ed no matter what, and that's a bit outside the scope that the Yubikey tries to solve. :)

There's an old cliché that "security isn't a product", but it holds true, and it very much applies here. You can't just buy a yubikey and be secure, but you can use it to significantly upgrade some of the authentication-specific parts of a larger security plan for example.
 

terjee

Enlightened
Joined
Jul 24, 2016
Messages
729
Location
Bergen, Norway
Well, the next question would be: how do USB keys fit in environment where USB ports are disabled? :)

If the port is simply disabled (disconnected for example), then I imagine the Yubikey would still fit physically just fine. :p

On a more serious note, if that's a huge concern - physical access to the machine by attackers - then you do have bigger problems.

I'm not arguing for Yubikeys as an end to all problems, but it's an interesting and significant upgrade for a lot of people and use cases. The majority of people don't disable their USB-ports for example.
 

techwg

Flashlight Enthusiast
Joined
May 4, 2007
Messages
1,268
Location
United Kingdom
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

They are truly fantastic. I have now bought a Neo, which is their NFC enabled model. Now I can get my time based one time codes (think, google authenticator app) built into the Yubikeys and now I can use the Yubico Authenticator app to easily interface with my Yubikey Neo and get my TOTP (one time passwords) without the actual secret data that is needed to generate them actually being on the phone it's self which could easily get compromised.

You are right, I think facebook now support U2F, but as I trust facebook and it's owner about as much as I do a thief in the night, I could not tell you anything further as I won't have a facebook account. There is such a thing as "too" social and people come out of the woodwork on that site.

They really have been well designed with strong security in mind. While U2F it's self has no secondary protection, in and of it's self (the physical Yubikey is all you need), the point is that it is merely a second factor, meaning they still need your password as well. So you can login with backup methods and revoke your stolen yubikeys and replace them if desired.

For example, (now that I have set it up already) it is super easy for me to sign a message, by typing my message, copying it, clicking the Kleopatra program and telling it to sign the keyboard, then entering my Yubikey PGP pin code which is between 6 and 8 characters long and it is authenticated and signs the contents as you will see by the time I have finished typing. Super easy, super secure.


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEETCPBQOi+4zt4WNmG35RfXGFNmOYFAlnX530ACgkQ35RfXGFN
mOYjBhAAh4ht/dSnFvvVqWlpSu+EDhmc/fal4McuXCROlrAyUXbr0zu7ujCWfJrP
u1KVwhhjqpMFzykohjFVlmYeuHooOhIXyexsfYQW1WNEAtjV7MT2IaaseKuzt/qv
Yrbd+2SG3ZbDJs09o0p2rhde1tHSRsotM1/gJgcrx6hmCLecG2h+yVCRsbFLvpfZ
9QPMBzGItsoJR720g8393M0sn4IoPZsNuB2oPZ+mSV0hR8JlYaJshjJD6JCc2wL+
qxFgR0Pnci5Fkv2hGQwd6YIe6czj3lswzx1zmcikVLZbMbuIoqgKMp1mTbpPK3aH
HP5i7VVJqq+cMB1vIFT8FZwHOaarhe651AI/g6uc0211Pq3+tG14zZVlH6U8mK9N
fw2O9Mraj2ydgGkx87uB7zG9hW83UMZUkFGfZAJfEaiSW4I/HLP0Z+wumuKCIBTo
hYS3jL1W05UKQG5vYOvMCf4a0gi71Qe5gJ030tk52+0YmMzWX82/PxM7jALwS9Lr
rt3u0A6lkB5Bd8NrGKPAdPNXci6We6OlsYURSQInZObrLNmjmaSSWf3RP+0IZGHe
oeAU55ugyxAdMX5Umuu3zJirxiqCDoz54VOtfpYyy1HkWIAVpTIbwrcBXNE40lTY
IaMpu/BysMCSaozs9CK/ko+25jdpr5M9Gj50tVYgO6dH/tA5SvQ=
=QnsC
-----END PGP SIGNATURE-----
 
Last edited:

schuster

Newly Enlightened
Joined
Apr 10, 2001
Messages
151
Location
New Jersey
https://www.youtube.com/watch?v=0sPBr8Yt6pU

This video covers my thoughts on the new Yubikey 4, what it's used for, what I use it for, why I like it etc.

Basically it's main purpose is two factor authentication but there are quite a few uses for these new ones. You may find it interesting if you are unaware of these little USB thumbdrive looking things.

I have the special-edition Verisign-programmed Yubikey which I got to use with the peculiar 2FA that eBay/PayPal implemented. Because third-party merchants use web links to PayPal as a payment processor, this is fraught with problems and rarely works correctly except on eBay itself. They have since de-emphasized physical tokens and are advocating SMS [ugh].

Recently got a USB/NFC-enabled token when I discovered that my employer's email allows U2F in addition to the usual callback, SMS, and one-time codes. It's a shame that so few services that need 2FA (banks, etc) rarely implement it. For web browsing it would also be nice if there were more choices in U2F-enabled browsers (currently only Chrome and Opera).
 

terjee

Enlightened
Joined
Jul 24, 2016
Messages
729
Location
Bergen, Norway
Recently got a USB/NFC-enabled token when I discovered that my employer's email allows U2F in addition to the usual callback, SMS, and one-time codes. It's a shame that so few services that need 2FA (banks, etc) rarely implement it. For web browsing it would also be nice if there were more choices in U2F-enabled browsers (currently only Chrome and Opera).

It's getting there in Firefox as well, it's basically in testing now.

I really like the FIDO U2F standard, allowing for single use unlimited sites and unlimites accounts at those, without cross-reference, and with built in anti-phishing. They got a lot of stuff right.
 
Top