Using a YubiKey for Multi-Factor Authentication

I assume that we all know that multi-factor authentication (MFA) or 2-factor authentication (2FA) is a good thing. This concept has been trending from being really inconvenient, to not as bad, recently. This is the concept of you using “something you know”, like your username and password, and “something you have”, like a mobile phone, to offer some second form of authentication. This is significant because if a hacker learns of the “something you know”, then your account is breached.

If the hacker gets a hold of “something you know”, and then needs to fly to your country, track you down, and steal your phone to get the “something you have” – then it’s significantly more difficult.

Simply by turning on MFA, it makes your accounts significantly more difficult to break into.

To make things easier:

Use this site to see how to enable 2FA for ALL of the websites and services you use:
https://www.turnon2fa.com/

If you are not familiar, here is a round-up of the various MFA options, as of this writing.

2FA SMS:

This is what most companies support, at the least. However, this is also the worst option. Attackers, especially in a dense urban environment, can bring up a “femtocell” station that can intercept and take over your phone number. For example https://www.youtube.com/watch?v=1DJQPMRdZ_I:

If you are a high-profile person, then you might have a team of people who might use this inexpensive technology to target you. They only need to be in your proximity.

However if you are just a regular person, your accounts might get caught up dragnet that a hacker group is running. They would be doing sweeps of apartment buildings, for identities for example.

So, having 2FA which uses SMS is better than nothing, but it’s far from fool-proof.

2FA “Google Authenticator”:

The next better option is to set up a 2FA code in the Google Authenticator app, which you can download for iOS or Android. People refer to this as Google Authenticator because they were the first ones to put out an app, but most major vendors have a similar app, which produce the same codes. In other words, there is a common algorithm to generate the proper codes, and you can use whichever front-end application you want, to generate those codes. For example, there is a Microsoft Authenticator app too, for iOS and Android.

The idea here is that you log into your account on website or service and in with your Account Settings, you Enable 2FA. It gives you a QR code that you take a picture of with your Authenticator app. That gives your authenticator app the seed value, so that it will know how to generate a matching, random number, constantly in sync with this website or service.

image

From that point forward, whenever you log in to your account, you use your username, password, and then are prompted for the code on your Authenticator app, for that service. It typically generates a new “random” 6-digit number ever :30 seconds.

The good and bad part is what if you don’t have your phone with you? Well, you can fall-back to it sending you an SMS or sending you an e-mail to login. So, this “super secure” way of logging in, is easily bypassed by would-be attackers. The upside is that you can’t be locked out of your own account, if you lose your phone.

Fingerprint Login (single factor auth):

I’m just mentioning this here while we’re talking about MFA, but fingerprint readers are kind of LESS secure. This is logging in with only “something you have”, your fingerprint, but does not require “something you know”, like a password. In fact, the YubiKey is kind of in the same category. It can be used in a single-factor, but it’s a pretty good one because it’s something that is on your person. Anyhow – back to fingerprint readers…

For mobile – most mid to high tier phones have a built-in fingerprint reader. This is both great for convenience, but not ideal for security. Think about everything you have on your phone. Think about all of the ACCESS you have your phone. You have logins set up for every thing you do. Now, if you are mugged, the thief can have you unlock your phone. Also, if arrested, the police can unlock your phone, against your will, and then turn off your lock screen. Now, these other people have unfettered access to all of the access you had from your phone. Picture for example, if you have your web browser “save passwords” for websites too. People that aren’t you – would then have access to basically your entire digital life.

I am not necessarily saying not to use the fingerprint reader on your phone. I think it depends on where you live and what kind of physical dangers you might face. But either way, think about all of this ahead of time – just be aware of it. The last place you want to be is sitting on your couch after you’ve been mugged, trying to remember all the apps you had installed, and all of the things this thief now has access to.

On mobile, if your OS supports it, I do recommend using a “pattern” to unlock, and make it complicated.

e-An-example-of-unlock-pattern

For macOS – this is easy, I can’t find any fingerprint reader that works on macOS, so it’s not an issue!

For Windows – I’ve used many fingerprint readers over the years. In present day, this slide style reader:

image

or this kind, which you just push your finger against:

image

they both work very well, and they are both around $30 USD. You can use these to log into Windows. Search in settings for “Set up fingerprint sign-in”.

YubiKey NEO:

With all of that covered, what is a YubiKey? Well, it’s form of MFA that does a few things:

  • In Windows, you can plug it into a USB port to log in. (e.g. “something you have” ONLY). This can be useful in a public kiosk PC, or perhaps for a childs computer. When the key is in, you are logged. When you pull the key out and lock the screen, you can’t get back in. This allows physical access to a computer without exchanging any passwords.
  • It’s an MFA code generator. When you press the “button” on the USB device, it generates a code in a format like this: “cccccchvvudnjrgrgkvhilbhbvrihblegdvrfjjnjdgr”.
  • It acts as a 2nd form of authentication to your mobile phone, via NFC.

This particular one, with the NFC is a little pricey at $50, but the non-NFC ones are around $20-$30:

Adding in LastPass:

But to me, the real magic is when it’s also coupled with LastPass, which is a password manager that really seems to have done it right. I was opposed to password managers for a long time because, they were basically unsecured honeypots – they couldn’t be trusted. But LastPass seems to have done a great job of doing the whole thing right. You encrypt your database on your device with your “Master Password” and the database is stored, encrypted, with LastPass. So, LastPass has zero-knowledge/no access to your encrypted data. Similar to a hacker, they would need to figure our your master password to break into your database.

One thing that LastPass does offer, is the ability to use a YubiKey. Even better, once configured, the YubiKey NEO in particular, has Near Field Communication (NFC), which means that you can, if you follow along:

  1. You log into your phone with a fingerprint or ideally a complex pattern.
  2. You go to use something that requires a password, so LastPass prompts you for your password.
  3. LastPass is setup for YubiKey (or pattern, or fingerprint), so you are then prompted to bump your YubiKey against your phone (so that NFC can communicate)

And then you are logged in. You can also specify what the default MFA option should be too:

image

If you don’t already use LastPass, I do highly recommend it, you can go to www.lastpass.com or if you were so-inclined, I do have an affiliate link:

https://lastpass.com/f?49438682

It really is an amazing tool for having extremely strong passwords, stored and auto-filled in your Windows browser and on your phone. So, you basically only need to worry about one, “Master” password. All of the other words can be super-secure passwords, that you don’t even need to know or keep track of, like “Bxf#5K24Gr7v%#g#” (LastPass has a “generate password” option, which is where I got that).

Bottom Line:

So, do you need a YubiKey? Not necessarily – it’s just an option. We have been moving into an era where a lot of “hacking” type things are done automatically, by pre-built programs, and hacking has now becomes a legitimate, state-sponsored activity too. This means that “hacking” is significantly easier and much more accessible to the masses than it’s ever been. This means that even every-day people can be targets.

To me though, it really comes down to: if you can have significantly better security, and if it’s not a pain to use, then why not? If something is secure, but it’s a big inconvenience, then that’s no good. But these 2FA and MFA options are getting easier and easier, and are much more consumer-friendly. You don’t necessarily need to be a computer geek to get them going.

At the very least – turn on 2FA for every-single-service that you use. That means banks, credit cards, facebook, twitter, amazon, etc – no exceptions. Then, to make it less onerous in some cases, consider other MFA options like fingerprint readers and YubiKeys.

The idea is that there are enough of these options out there where you can build your security model, for what makes sense for you and your family.

I hope some of this helps, but if you have thoughts on MFA, please leave a comment below!

Posted in Computers and Internet, Infrastructure, Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Archives
Categories

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 9 other followers

%d bloggers like this: