> I don’t see any use case or security benefits by using the static password feature. Even if you enter a password manually and concatenate it with the password of the Yubikey, a keylogger still gets both parts (assumption: You don’t reuse passwords).
If keylogger is what you're defending from, yes, it doesn't help. And in this scenario you've probably already lost.
On the other hand, it makes a large portion of the password immune to video-recording you typing the password in. Yes, it's technically trivial to then steal your Yubikey, extract the static password and combine it with the recorded one, but these are still quite some extra steps.
My point is, if a particular service or application doesn't support anything more refined, using a static password as a pepper[0] is perfectly fine and still an improvement over not doing so.
The static password feature would actually be perfect with a few small alterations.
I use Apple's Advanced Data Protection product. This product gives you a 64-character code you must know. I am probably not capable of committing this code to memory.
I wish I could tell my Yubikey this code, and it would save it.
---
Now, as a US citizen, it is very hard for the government to compel me to disclose a password or a pin code. If the static password feature required a simple password (say 6 characters), with reasonable brute force prevention, it'd make it so that I have a way to protect myself. On the other hand, if it is not pin protected, there is nothing preventing the government from getting a search warrant for the Yubikey itself and using that.
Reminder: Yubico doesn't have a monopoly on security keys. Make sure your software/tutorials support the open-source alternatives like OnlyKey and NitroKey.
Mullvad VPN has announced that their sister company "Tillitis"[1] is working on a really interesting key and it looks like it's releasing pretty soon (2023-03-23).
From the website:
>The TKey™ is a new kind of USB security key inspired by measured boot and DICE.
>TKey™s design encourages developers to experiment with new security key applications and models in a way that makes adoption easier and less risky forend-users.
>TKey™ is and always will be open source hardware and software. Schematics, PCB design and FPGA design source as well as all software source code can be found on GitHub.
[1]: https://www.tillitis.se/ -- also "tillit" is Swedish for "trust" and "mullvad" is Swedish for "mole" (the animal).
so far, Yubikeys are the only ones I've found that support both FIDO2 / WebAuthn as well as GPG smart card functionality for use with pass(1).
they also support ed25519 FIDO SSH keys, whereas all the cheapo FIDO keys I've tested only support ecdsa-nistp256, but that's a relatively minor difference.
Nitrokey 3 claims that GPG smart card support is planned in an upcoming firmware update. once that's released I may bite the bullet on shipping costs and order one. 55€ shipping to the US for a 49€ key is cost-prohibitive for the most part.
> Nitrokey 3 claims that GPG smart card support is planned in an upcoming firmware update. once that's released I may bite the bullet on shipping costs and order one. 55€ shipping to the US for a 49€ key is cost-prohibitive for the most part.
They have been claiming many things. I pre-ordered a Nitrokey 1.5 years ago, still haven't received it, and apparently during this time they have not implemented much.
If you get a smartcard, you can install https://github.com/BryanJacobs/FIDO2Applet on it to make it into a FIDO2 authenticator. You can install a GPG and a PIV applet too.
A Yubikey is just a proprietary smartcard with a bunch of apps installed and some HID emulation (pretending to be a keyboard, which you likely do not want).
I think the keyboard aspect was wanted back when smart card readers and extra software drivers were needed, but there are USB "smart cards" now and operating system support is solid.
Hardware wallet authentication is really one of the 'web3' technologies that just works and we could be deploying everywhere right now. It's miles better than yubikey spitting out a static password, has plugins for every major browser and mobile device platform, can do identity verification without specific site account setup, and of course the whole pile of (optional) web3 things with crypto.
Counterpoint: it’s miles worse than FIDO/WebAuthn, which most hard keys and modern OSes support. Asking users to install a browser plugin is a disaster waiting to happen for most users. Phishing of cryptocurrency hardware wallets happens all the time, but it is impossible to phish a Passkey. The reason a browser plugin is required is because these devices are made to transact on a blockchain, rather than open APIs intended for domain authentication.
Cryptocurrency wallets are horrible for normal security features that do not involve blockchains.
I think the fact that cryptocurrency wallets with millions of dollars still exist and are protected by these wallets is evidence that security is manageable. Proof is in the pudding.
Yeah, file-based keys managing millions of dollars exist in the crypto space too. “Manageable” does not mean “good”. The real pudding is this: hardware wallet users fall prey to phishing scams all the time and lose their life savings. It’s a horrible design for an auth system.
There are so many UX reasons why you would never want to conflate a login token with a key that can mathematically and instantaneously eviscerate your life savings. But to put it simply; there’s no way anyone’s grandma can use this system, wherein with something like browser Passkeys she has a chance.
Safari seems to have its own implementation of a virtual security key also. Before I plugged in my Yubico recently, Safari asked me for my fingerprint as a fallback.
Not exactly – WebAuthN is the browser/JavaScript API, which can be provided by both platform authenticators (such as Safari on iOS and macOS, Chrome on Android and macOS etc.) and hardware/"roaming" CTAP2-compliant authenticators.
WebAuthN specifices the browser API, CTAP2 specifies the interface between an authenticator device/software implementation and a browser or other client, and FIDO specifies the behavior of the authenticator itself (including certification of attestation-capable authenticators).
If Secure Enclave is as secure as Apple claims it to be, Safari‘s option might actually be the safest one. Of course you can’t use that on anything other than a Mac or iPhone, so in some situations you need another key.
You can't use Safari's option on anything other than that particular Mac or iPhone. It's my understanding that you can't extract the secret key from the secure enclave.
I don't know how this certain feature is implemented. But Pass Keys are synced via iCloud and the private key never leaves any Secure Enclave in unencrypted form. Maybe these virtual security keys are different in that they are never synced via iCloud, but principally they could be.
Technically, we can just use client certs, YK supports them (via smartcard emulation, you can also use that to auth via SSH), just it wasn't really there, ever, on UI front...
Unfortunately SoloKey doesn't work as an OpenPGP smart card, which means it's not a real substitute for a Yubikey. I haven't had any luck with resident FIDO2, either.
The Solo team believes that other functionality such as PIV overlaps with GnuPG use cases, so that OpenPGP isn't a priority, and their work on that functionality appears to have stopped in 2021. That's too bad, because OpenPGP's network effects far outweigh its pure functionality, which means a technical substitute isn't a substitute.
I have multiple Solo Key 2 devices. (I bought a Kickstarter 4-pack.) I use one of them regularly, and I successfully added it to iCloud as a security key. It has been 100% reliable.
In August 2022 they released a major firmware update. Maybe that addressed the iCloud incompatibility and reliability issues?
While I have a few Yubikeys in a drawer somewhere, for years I've preferred to use an actual smartcard to store my keys. Sure, it only offers a subset of the features of a USB key, but I've found that I really only need to sign, auth and decrypt data. All the other fancy things like OTP, FIDO, etc., either have alternatives (e.g. pass-otp), or are just not used often enough. I haven't been in a situation yet where I _need_ to use a USB key.
Besides, the experience of using Yubikeys always annoyed me. The touch functionality was way too sensitive, causing many unwanted triggers. Having it always stick out made me nervous it was going to break. And the small USB-C version was often difficult to remove, while also taking up a USB slot.
Smartcards are nice since they're compact and stay neatly inside a laptop, and they use a separate interface for that purpose, instead of the generic USB. I wish more laptops had readers for them.
On my laptop, this one[1]. While there's a model that supports NFC, I've found these don't work well with Password Store + OpenKeychain on Android. So I use a different unbranded one there. Don't remember where I bought it, but there's nothing special about it.
I like the idea of securitykeys, but having to drop 100€ for a key (since in my opinion you are playing with fire if you don't buy a backup) feels like excessive and then having to worry that I remember to take my securitykey with me everywhere...
Yeah, yeah, security vs. convenience is always the issue, but so far I've just selected convenience.
> Yeah, yeah, security vs. convenience is always the issue, but so far I've just selected convenience.
In terms of the SSH and GPG keys which I use multiple times every single day for me this is convenience. I have my keys always on my person and they are tied to me, and not a particular machine. Whether it's my laptop, my desktop or my phone, I have a single pair of keys that are virtually impossible to steal even on a so-so trusted device like a proprietary phone.
When you start considering a security key as a portable credential storage to use across all your machines, it becomes actually more convenient, not less.
I am just not at all paranoid about my SSH keys. Those are password protected and the worst that you can do with them is to run some low yield miner on my machines. I guess you could "steal" my source code, but I publish it free on github anyway.
Maybe convenient if you are administrator or something, but for normal life seems unnecessary.
However I can see the appeal of having everything behind a physical factor
The cost is not really that enormous when you consider these things are pretty bulletproof, I've had one for about 10 years on my keychain. That's €5 per year. I am currently waiting for NitroKey 3 to have non-alpha OpenPGP SC support and will likely buy one as soon as it's available (although maybe I should buy one now to support development and maybe have a play around myself).
You don't need a backup unless you don't trust your hardware at home, just store backup keys on some trusted host, or offline on some storage media, you then only need to buy a new security key whenever you lose yours. Even so, if you DO decide to go the backup route, the backup is not likely to get list and very likely to last much longer than 10 years.
With security keys which have NFC capabilities, you can set things up so that accessing any website from your phone is only a tap away (you need to enter the pin before hand, or every time, obviously choice of convenience here is up to you but if your phone itself is secure enough then maybe this isn't such an issue to keep the pin cached while the phone is on).
That's one reason why I prefer USB-A security keys (it's just more ubiquitous at this point, and A-to-C adapters are readily available, while the reverse is out of USB spec).
The other is that USB-A has all moving parts in the socket (vs. in the cable-side plug), which presumably makes a USB-A key more reliable.
I've had USB-C keys break on me mechanically, so having an A-to-C adapter with moving parts on both sides seems like the best of both worlds (durable security key, durable device-side port, easily replaceable adapter).
I always wonder how often someone gets into a crisis because their Yubikey breaks while they're at, say, a conference (ie. far away from the backup, be it another key, or access to recover codes). I recon they can just break when plugged into a laptop that takes a dive.
Most people have only their phones, which can also break. But some people only start thinking about that stuff when they look at alternatives like the Yubikey.
> they can just break when plugged into a laptop that takes a dive
So can the laptop at a conference. Or anything else really. I just remove my Yubikey after use and carry it in my wallet when not in use. Sure, I can lose my wallet, but I have multiple back-up options for the Yubikey, I mostly use it for convenience.
In normal life losing access to your phone won't lock you out of everything. You still have all your other devices you can use AND you can always just walk into store and buy yourself a replacement and download your phone back from a backup.
Same with laptops. If you go to a conference and your laptop breaks. You can just go to nearest store and buy a new one. It will take couple hours, but you'll be up and running again.
With security key if you lose it you lose access immediately to your stuff and you probably can not get a new one with in 24 hours even if money wasn't an issue. Also after you get the key there is no way to authenticate yourself to the key in a way that you can just make it a copy of your previous key.
Wallet is the best example. If you lose your wallet you need to kill your credit cards and get a new ID. However this does not lock you out of anything. You can go to your bank and take out whatever amount of money you need and order a new card, this will be inconvenient for about week. With your ID it depends on the schedules. However there is clear path to recovery.
> With security key if you lose it you lose access immediately to your stuff and you probably can not get a new one with in 24 hours even if money wasn't an issue.
If you lose it while traveling and have a backup at home you can likely have someone overnight the backup to you in pretty close to 24h. You also only lose access to stuff that requires the key every time you access it, all but the most sensitive services will keep you logged in without the key for a period of time.
> Wallet is the best example. If you lose your wallet you need to kill your credit cards and get a new ID. However this does not lock you out of anything. You can go to your bank and take out whatever amount of money you need
In the US at least you’ll find the bank wants to see your ID to let you withdraw cash, and businesses are becoming less friendly to paying cash. Though, like a security key, many people have a spare id at home in the form of a passport.
I can still get into "life stuff" without my Yubikey. There are increases in risk to doing so (TOTP requests have decreased resistance to phishing attacks versus webauthn, for example), which is why I don't do that generally, but the fallbacks are not a serious problem.
I would have to lose/break my phone and my laptop (both secured via Apple's stuff, not my Yubikey) and my Yubikey to be materially locked out of things. And, at that point, my password vault is inaccessible to me and I have much bigger problems.
The only thing I cannot do without a Yubikey is SSH into systems, and that is, for me, a worthwhile thing to break-glass on.
Absolutely this. My yubikeys have been on keychains for years and all still work. These keys are occasionally dropped, thrown, have gotten wet, fallen into the sand, and the yubikeys are fine.
If it was an Android, you can actually plug a mouse into it. I used this to backup a bunch of stuff after I broke my screen and touch no longer worked.
You couldn't see it either, but I suppose I could have fumbled around a bit blind. Good call.
My wife and I have had really good luck buying matching phones.
That time one had stopped charging and was replaced with a super-budget phone, so I just swapped screens, backed up/exported what I needed, and moved on.
Yeah, I don’t think it’s live anymore. I had the same feelings as gp re: up front price, so I went searching for deals and came across that cloudflare offer on Reddit. Several users have commented on the thread post-January 3rd stating that they tried and failed to unlock the deal
I’ve carried a USB-A Yubikey in my pocket for 7 years and it’s never broke. I also keep one time login passwords encrypted and available in the cloud in the event I lose the key.
I've had one USB-C key break on me in the past, and my replacement is already showing signs of wear. Fortunately it's not my only way to get back into my accounts if it breaks.
My (sample size 2) theory is that USB-C isn't the best connector for a security key, since it intentionally moves the wear-prone part (i.e. the dust-collecting and mechanical spring involving side) from the port to the cable.
USB-A is completely solid state, and most security keys use the "flat" variant of the plug that further reduces the chance of mechanical damage and/or collecting dust.
For a security key, sure, it's better for that side of the USB port to be more resistant.
But on the PC side, my old HP laptop used to have extremely tight USB A ports. I'd have to pull ridiculously hard on cables to disconnect them. Now the ports are fairly loose, to the point that my external drive sometimes disconnects...
The yubikey kinda dances around in that port. Luckily, I don't move the laptop too much, so the key tends to stay put, but it sometimes does lose contact out when I need to touch it often.
Sure, but that doesn't help against the springs mechanically wearing out, or mechanical damage bending the hollow part of the USB-C connector.
Looking at all of my USB-C keys, most of them get visibly bent inwards after a couple of years of carrying them in a pocket on a keychain with other keys.
It's hard to imagine a USB-A key breaking in the same way. The only thing that could conceivably break it is the PCB itself snapping, or possibly static electricity (but I don't know how much better USB-C keys would fare in that regard).
So given that I can buy 2-3 A-to-C adapters for the price difference between a USB-A and a USB-C key, why take the additional risk?
I solve the issue of forgetting my key by having a key constantly attached to my keychain with a keychain clip except when its in use with my notebook. This means that I have three keys - one on my keychain, one on my main computer, and one for backup.
Also I have my passwords synced to my phone, which could serve as a mobile backup in a pinch. I currently have it configured to require the key, but I should probably change that now that I think about the possibility of losing the key.
Using the key is more convenient to me than not using it, because it saves me from having to remember and enter a long master password.
I found that four were the right number of keys, not two. One for the permanent safe, one for the keyring, one for offsite storage at another location (like office) and one to leave in the computer.
Same, I only use the key when something forces me to, cause I trust TOTP authentication apps even less. (I don't mean trusting that nobody hacks it, I mean trusting that I don't get locked out.)
Thankfully now with Google Authenticator at least you can export the config to another device. I periodically do this to my old Android phone so I have a backup device in case I destroy my current one
Yeah but I already wrote off Goog Authenticator after last time. The original version didn't let you transfer codes, and the devs said that's WAI for so long before listening to common sense.
Also, such a strict auth system needs to be 100% clear what my credentials are and where they're stored, and it's unclear here. People today still get confused about whether or not Android or iPhone backups (local or cloud) contain them. They could've taken a page from the cryptocurrency wallets, which give you a recovery word-list upon first setup and force you to understand how it works.
For full disk encryption, if you use systemd and not another init system, i'd also recommend systemd-cryptsetup, it's already installed on your machine if you have a relatively new systemd (at least 248). With systemd-cryptsetup you can use fido2, and your normal fido2 pin, to unlock your LUKS drive.
This also works with the YubiKeys "Security Key" series, that only have fido2 and no otp/chalresp.
I actually considered that setup but decided against it. The thing is, if I did this, I would eventually succumb to convenience and would plug the key into the machine at all times. But that defeats the purpose: if a thief steals my computer they can just tap the key rather than know my password to unlock my disk.
This part can be frustrating for a novice adopting security keys. The key works out of the box without PIN. If you didn't come across the right guidance, you already enrolled keys without a PIN and now discover that you need to unenroll everywhere, set a PIN, and enroll again. And even with proper backup keys etc., it can be worrying whether you've forgotten some corner case and are about to lock yourself out somewhere by setting the PIN.
Your paranoia is getting out of hand, seriously.
2FA here, OTP there.
Idk about you, maybe you do have such sensitive data that you have to double guard everything, I and the usual average guy doesn't.
Why do I care? Because this craze has already reached the real world. Amazon requiring 2FA on deliveries. Wtf is wrong with my passport or other document? Nothing. Now I have to be physically present and recite some fucking code they sent my via fucking email or app if installed.
I can't log in anywhere anymore without having to double prove that the password and email is indeed mine.
STOP THIS MADNESS ALREADY!
My World of Warcraft account had been secured by 2FA 10y earlier than my bank account.
The good thing is, the launcher app on _my_ PC got the feature (a few years ago) that I only need to use the actual 2FA fob once every few months, not every time I login. It protects me against the most common case (someone logging in with my account/stealing my account) while not getting in the way at all. Unless someone breaks into the apartment, but I'll take that risk.
Still wondering what's wrong with most orgs not even offering the user the choice of "no 2fa/2fa everytime/whitelist this one device for $period".
That's probably not about information security, it's simply Amazon not trusting the gig economy delivery worker enough with an expensive package, so they give you a number only you know and he doesn't, and that's how they verify that he has to interact with you before marking the delivery as done. It's to prevent a common kind of theft.
(I'm not talking out of any inside knowledge on the process, just thought that'd be the reason)
My work recently changed the password length requirement to 16 characters, 2FA now requires typing in a number and you automatically get deauthenticated every 12 hours.
I really feel there's got to be diminishing returns for such policies
I really would like to use it, but without ability to backup it, I don't wanna. I've read some time ago Yubikey of some other company showed initial spec, but I never heard any followup, I don't remember the link. For now I'm using TOTP but it's a chore. Salesforce Authenticator has nice idea with custom push-based protocol, but it's not running on dedicated hardware. I think ESP32 S3 has hardware potential to act as security has as it has e-fuses and has enough umph for cryptography, it would be interesting option to see (maybe with optional wifi/bluetooth faraday cage on it)
The backup plan is mostly having a backup key. The whole point is that there's a secret inside the key that can't be stolen, and that means there's no way of exporting it either. Most services I deal with allow registering multiple keys. Some like Paypal don't, but allow having both a key and TOTP so you can use TOTP as a fallback.
It mostly acts as a keyboard (bluetooth or USB). It supports TOTP, and will type it out for you. It has an internal battery and for TOTP the clock is set by the management application for it.
I'm with you re: backups. The whole "just have a backup key" methodology seems tediously manual and fraught with opportunities for error/laziness.
I've been looking into OnlyKey[0] recently. It seems to have sensible backup functionality at least.
Using something The Mooltipass[1] (USB HID password vault w/ TOTP support that has a sensible backup strategy) comes closest to what I want, but not quite close enough. (I'm disenchanted with it because it seems to lean heavily on an app on the host computer for functionality.)
> It seems to have sensible backup functionality at least.
The backup functionality seems to completely negate all security benefits of using separate/minimal security key hardware, since it requires passphrase entry on a computer and then exposes the backup file encrypted under that passphrase to the same computer.
You commission the device on an air-gapped device. If you type the password on a network-connected computer you’re doing it wrong. Bonus points for physically destroying the computer you commission the device on.
> You commission the device on an air-gapped device. If you type the password on a network-connected computer you’re doing it wrong.
This is a pretty unrealistic requirement for a purported Yubikey alternative. This assumption/requirement also not mentioned anywhere in its manual, as far as I can tell.
There are ways to get secure backups of hardware authenticators (or even HSMs), but they generally require some form of secure I/O. I don't see how it would be possible with a Yubikey-like device, unless you're fine with entering a high-entropy secret using on-device buttons.
> Bonus points for physically destroying the computer you commission the device on. It’s just like commissioning an HSM.
I've worked with HSMs, and there is no need for any destruction of hardware (unless you consider the paper sometimes used for ZMK key exchanges hardware).
I am being a little hyperbolic with the whole “destroy the PC” thing. I did have one engagement where we generated keys on a PC before importing into an HSM. (We did this to be vendor agnostic on the HSM for an intended 25 year lifetime for the keys.) The PC was destroyed after the ceremony and after the plaintext keys were committed to tamper-evident envelopes.
I would prefer a “security key” device with its own USB host port so I could plug a keyboard of my own choosing directly into it. A poor man’s secure PIN pad.
Edit now that I'm not on my phone:
I'm resigned to the fact that no mainstream hardware is ever going to be made that will do what I want. There isn't enough of a market for my desires, like so much technology today. It's yet one more step toward in my ending up a "digital hermit" figuratively living in a shack in Montana.
Ledger (and some other hardware wallets) solve this with a few buttons and a display, but that's pretty unergonomic for longer key inputs. They're mainly advertised for crypto purposes, but at least Ledger's implementation seems decent and is usable for e.g. SSH keys and OpenPGP as well.
It does the job if you only very rarely import keys, though – and in modern (asymmetric cryptography based) systems, you ideally import exactly one secret key and do the rest with public/private key cryptography derived from it, rather than having to do the tamper-evident envelope shenanigans with every partner you share keys with.
The device that comes closest to what I'd like is the NitroKey HSM (and the underlying SmartCard-HSM applet it's based on). It doesn't have any secure PIN pad option that I'm aware of, though. Buying a random USB keyboard from an office supply store would be good enough for me.
The tamper-evident envelope thing was for CA root keys for a DRM system to 'protect' embedded device firmware (read: revenue model) that we implemented for a Customer.
The product line has a 25 year field service life. It was a requirement to be able to issue new intermediate CA certs for that period. We met with a couple large HSM vendors and decided the lock-in risk with the proprietary HSM platforms was too great.
Instead we opted for a key generation and HSM commissioning ceremony modeled after the DNSSEC root key signing ceremony. It was the best way we could come up with to have the key material available for loading onto other HSMs down-the-road.
I guess it turned out to be good idea (so far). I heard the Customer switched HSM in the last couple years.
> I really would like to use it, but without ability to backup it
I totally know the feeling. I was there, I don't believe for a second that enrolling another key is an acceptable option and I solved that problem in a way that works for me.
You can clone your own security key if you're willing to deal with the problem that now becomes: "How do I safely store the secret allowing to restore another security key?".
I'm using paper seeds, split over several countries. A $5 wrench attack on my mom to have her open her safe won't be sufficient. The attacker would need to $5 wrench another half too, which my mom doesn't have.
Ledger Nano S (supposedly a cryptocurrency hardware wallet but I only care about the U2F support) has a U2F "nano app" installable on the key which shall do U2F (and webauthn, which is backward compatible from the device's point of view... It's not clear to me if it's going to work as a "passkey" too or not). They cost $79 or something.
Ledger kinda knows what they're doing: their CTO was part of the original FIDO spec group.
Buy two of them, initialize them with the same seed. Make sure to secure your paper seed.
In my case the issue of "cloning and backuping a U2F/webauthn key" is solved. But it's a trade off: now I have to deal with storing the paper seed allowing to restore the U2F key.
In exchange for that hassle I get U2F everywhere (SSH being a big, big, big one) and my security keys are protected by a PIN (three wrong PINs and they reset to factory default). And I don't leave with the constant fear of losing my security key and being locked out of all my services / having to reset everything.
As an added bonus that Ledger Nano S has a tiny device telling you if you're registering or authenticating and it's telling you where you're registering/authenticating. It becomes very hard to trick you into registering/authenticating to a bad party.
Also for me to be really in trouble I'd need to both lose the ability to restore/clone another key and I'd need to lose access to the two security keys that are configured with the same seed.
Have you tested this solution? Unless something has changed since the initial spec, each handshake includes a usage counter, which the relying party sees and is supposed to remember. If the usage counter ever fails to increase, then that means something weird happened (like two keys acting as one), and the site can reject you.
There are crude ways to deal with this issue, which are fine if you intend for the second to be used only in case of emergency.
> ESP32 S3 has hardware potential to act as security
You'll probably want a tamper-proof MCU instead (i.e. the type used on payment smart cards and SIMs), if physical access is a concern to you at all.
> without ability to backup it
Your backup can be another security key. If you are concerned about design flaws (of the reliability/durability kind, not security), you can get FIDO-certified keys from many vendors other than Yubico these days.
I was hoping to find how to change the number of GPG passphrase/PIN retries (the default of 3 is panic-inducing after just fat fingering it once) - I did it on one of mine some time ago, but haven't been able to figure it out again recently for another one. Sorry, it's a bit of a tangent, but if anyone happens to know?
Missing from all this: a dedicated machine running Linux to set everything up. I have an old beat up Thinkpad that I use exclusively for critical stuff that would really hurt me if somebody hacked.
You can have one for less than the price of Yubikey so there really isn't much excuse.
The entire point of using a security key is that its security model can survive a point in time compromise of the device you are connecting it to, i.e. a compromise only persists as long as a (hopefully short-lived) session. But if a single session compromise is unacceptable to you, by the same token a security key can't protect you against that.
The only instance where a "more secure" computer might be necessary that I can think of is using a GPG smartcard (which the Yubikey supports) and importing a software key to that, as opposed to generating the key on the smartcard itself.
Whatever security system you have there is always a problem of original sin. This is when attacker happens to be present and prepared to hijack your initialisation process.
If an attacker has unrestricted access to your laptop or phone and you are trying to use this device to set up say your AWS root account, no amount of Yubikeys will help you. They can essentially craft everything you are seeing on the screen and intercept everything you are typing in. What they do with it only depends on their imagination but with the advent of AI powered tools I expect hacking tools are going to get much "smarter" very quickly.
A coworker lost all money he saved for many years for the downpayment on his apartment. He used his laptop to manage his banking and his phone to receive SMS messages. He logged in to his banking from his phone JUST ONCE. That was enough. Apparently, he had some kind of malware on his phone that was waiting in hiding for this exact occasion and the moment he logged in it intercepted the credentials and was able to transfer money out of his account with the codes he got on the same phone. It wasn't even targeted attack. And it was 10 years ago.
And as far as Yubikeys I would suggest they matter less than people think. They are useful concept but only if services providing MFA capability implemented it correctly. And as far as my experience goes, no large service I use at the moment implements this correctly.
The biggest problems are usually defaulting to SMS/email code if you indicate you've lost your Yubikey. Even for services that don't do this, there is usually some way to recover access anyway.
I have lost both my root password and two my yubikeys to my AWS account. Guess what, couple phonecalls later I got my access back. It was stupid for me to loose my credentials (but it was empty account at that time) but it is not inspiring confidence in me that anybody with just the access to my phone number and possibly couple scraps of personal information can recover full access.
My strategy right now is to compartmentalise critical services that I use -- use separate device to access them, never use my other devices for this, use separate email and separate phone numbers. Never reveal to anybody the email and phone number. Never put anything that could create any interest for those services, emails, phone numbers, etc. Yubikeys are nice gimmick (that I use daily) but I honestly don't see them as doing much for my security.
> If an attacker has unrestricted access to your laptop or phone and you are trying to use this device to set up say your AWS root account, no amount of Yubikeys will help you.
They will absolutely help against a persistent compromise of my accounts. For example, I can check all registered security keys from a different machine and network.
If only the ones I expect are present, I can click the (hopefully present) button "log out all sessions on all devices" and be reasonably certain that, at least from that point in time, nobody else has account access. And I can make sure that all of the ones present are in fact my keys by trying to authenticate with all of them.
Registering a new key will hopefully also trigger a big scary warning email/SMS/fax to me and/or additional security contacts.
> Even for services that don't do this, there is usually some way to recover access anyway.
As a user, I sure hope there is – it would be genuinely frightening to know that my account is unrecoverable if I lose all security keys linked to it! Hopefully, that process involves a lot of red tape and not just an SMS-OTP or sending a blurry scan of my birth certificate to an e-notary several timezones away.
> Registering a new key will hopefully also trigger a big scary warning email/SMS/fax to me and/or additional security contacts
If your devices are compromised you are not guaranteed to receive any emails or SMS. There are malwares known to remove emails and messages either directly or by running as man in the middle or by intercepting and modifying the UI.
> As a user, I sure hope there is – it would be genuinely frightening to know that my account is unrecoverable if I lose all security keys linked to it!
As a professional I am reading it the following way:
"The access to the account can be regained without the super duper secure Yubikey fleet you have."
Therefore it is as secure as that super expensive door lock when there is an open window right next to it.
> Hopefully, that process involves a lot of red tape and not just an SMS-OTP or sending a blurry scan of my birth certificate to an e-notary several timezones away
But that just does not happen. This would be super expensive and companies would rather limit their involvement with individual people to save on support cost. All I got from AWS was two phonecalls from a tired guy with obvious Indian accent.
For OTP secrets, you could add my yubikey-otp tool, which is a CLI tool for searching and adding otp secrets stored on your YubiKey to your clipboard: https://github.com/MarkusZoppelt/yubikey-otp
The thing missing for me is, how to set 2 yubikeys to be functionally the same, to make having a backup key easier (for situations where no data is added to the key)
It really depends on what you want to do with the yubikeys. If you're just using the PGP functionality (like SSH-ing and signing git commits) all you have to do is upload the same private (sub)keys to the two yubikeys and they'll be functionally the same*. I wouldn't know about other (more advanced) features though.
If you follow DrDuh's guide, you should be able to set up the yubikeys in the way I described. I also created some provisioning scripts that automate the whole process which you should be able to use to provision the PGP applet:
This is trickier with TOTP, since you either have to have multiple keys on you or you have to save the TOTP seed / QR code until you have access to the other keys.
But I have to admit that there is probably no way to do that properly. If Wireguard key is in Yubikey, every packet has to go to Yubikey for encryption and decryption. That doesn’t work!
The usual recommendation is to encrypt the Wireguard key with pass or gpg. But an attacker that can access a Wireguard key in /etc/Wireguard must have root access. Such attacker would have access to stdout put by Gpg and could read the key. It could also dump the memory and read the key from there.
Other than Google Titan and Yubikey, are those really the only two players? I find it concerning that there is this whole ecosystem built around security keys, but only two companies making them. That said I currently use yubikeys for all my stuff, it just occurred to me its odd there isn't a bunch of companies making these :/
A friend of mine and all his colleagues are using OnlyKey (pricey). I use a Ledger Nano S for U2F/webauthn. These two are requiring a PIN to register/auth.
With the way things are going (U2F/WebAuthn), Yubikeys are being commoditized, and that's a good thing. I have 5-6 Yubikeys, but nowadays the one I use most is the Solo 2 I embedded in my laptop[0].
Pretty much the only thing I use a Yubikey for nowadays is U2F, and I might as well use any cheaper key for that, since they're all equivalent (Solo 2 even has much more space for resident keys).
I don't think there's much reason to get a Yubikey nowadays, especially if you don't need it for some specific use case (e.g. GPG). Just buy any cheap FIDO2-compatible key and you're good.
> With the way things are going (U2F/WebAuthn), Yubikeys are being commoditized, and that's a good thing.
I very much doubt this. Security keys are only used by a very niche community of security minded tech geeks. They're either unknown or very user unfriendly and a nuissance to the vast majority of tech users. Hell, I only use them because not using them is not an option, but I'm constantly annoyed with having to _think_ about them, rotate keys, manage passwords, etc.
While WebAuthn and passkeys are becoming more prevalent and standardized, and that's certainly a good thing, the future of increased security for everyone will not involve security keys. Most users will authenticate using their phone or biometric data, which will create passkeys for each purpose, stored securely in the background on a TPM-like device, and synced using traditional methods.
So security keys will remain a niche product, for those of us who don't trust these new authentication models, or have to keep managing passwords for likely many years to come.
BTW, that's a pretty cool project embedding a Solo 2 into the laptop. Shame you're now stuck with the Framework, but it's awesome that kind of project is even possible. I still prefer using a regular smartcard, since some (many?) laptops have built-in readers. And I miss PCMCIA slots, which were a perfect fit for smartcard readers, until they took it away from us. :(
Oh I'm not stuck, it's a removable port, I can just take the key out whenever. I think USB-C is more flexible than PCMCIA, especially with the Framework's module bays.
Well, you're functionally stuck with Framework, unless you want to go back to using the security key in the traditional way. I have the same issue with ThinkPads because of the TrackPoint, and can't go back to other laptops for work (some HP models had it at one point, but I haven't seen it in recent ones).
And, sure, USB killed PCMCIA, but I still prefer the embedded form factor and standard size of PC cards. Now we have a million USB devices, all with different form factors, and even different behavior depending on the USB standard they support. At least we've sort of settled on a single connector now.
I wish it was possible to add FIDO keys to an account without having physical access to the key. Without this, it is hard to balance the convenience of adding your keys to new accounts and the risk of losing all your keys. Ideally, I’d want to keep one key in a safe location far away and just have some public key data that I can upload to new accounts. Does anyone know why FIDO doesn’t work this way? Is it simply to make it harder to lock yourself out of an account?
> You can add 32 of these secrets to a Yubikey device.
I have 45 of those currently in my Authy account, which syncs on two phones for redundancy...
I'd love to use a Yubikey for this, but I'd have to split those accounts across multiple yubikeys, which would be quite a headache to maintain, especially if one wants redundancy...
I actually just bought two Yubikeys. I figured the iCloud announcement was reason enough to pull the trigger on them.
I was actually surprised at how little changes I needed to do, it “just worked” with the most sensitive accounts I had (1Password, Gmail, iCloud). Very cool devices.
On Android, to unlock Keepass database secured with Yubikey, an alternative to Keepass2Android+ykdroid is KeePassDX[1] + Key Driver [2]. Both USB and NFC are supported.
The 32 TOTP limit was what killed it for me as a replacement for Authy/Google Authenticator/etc. I know Yubikey came out before TOTP really hit its stride, but 32 was really short-sighted.
It's pretty annoying having to touch my yubi key every single time. I find KeePassXC + TOTP much more user and disaster resilient. If I lose my yubikey, I'd better have a physical backup copy. If I lose my keypass device, my file is just up on Dropbox. I find the value proposition is outweighed by the risk of disaster for yubikey personally, and keepass doesn't make me touch it every time so it's much more convenient.
While having a YK neo with all the features, I prefer the simple FIDO security key. Everything you could want apart from legacy/special use cases can be achieved with fido.
websites -> fido/u2f
ssh -> native fido support in ssh-keygen
login -> fido2 for windows, libpam-u2f for linux
luks encryption -> systemd-cryptenroll
There was a very good security key dissection article way back on the net, just couldn't find it in my archives. They removed the ceramic coating, checked signals etc. and came to a quite sobering conclusion regarding security keys. If anyone has something similar, please provide a link.
Unless the conclusion was "someone can steal the private key from the key just being plugged in to USB", it can't have been very sobering. Literally all I want from a USB key is to make it so physical theft is required before someone can access my stuff.
Someone needs to do this but for a windows environment. The documentation is a disaster in that realm. Took me forever to get it working properly with active directory.
The attack surface of yubikey vs a laptop you carry around is interesting.
Nobody seems to reflect that if you physically steal the laptop, guess what, the usb key that's still in there was also stolen.
Anybody using USB locks? If you are focussing on FIDO for password management, I am assuming you are protected against HID emulating devices, like a rubberducky or teensy flashed with some malware installing HID emulator.
And you do use USB locks on your laptop, right? Right? Because if not then all that added layer of secure feelings is pointless from an operational security perspective, other than preventing shoulder surfing. And if you are using a FIDO key, you usually have to enter a password to use it anyways, so it does not really protect against that either.
You could've just used a password manager with a LUKS encrypted system and you have the identical attack surface from an operational perspective.
> Nobody seems to reflect that if you physically steal the laptop, guess what, the usb key that's still in there was also stolen.
I think that largely misses the point of having such a key. I have one, and I'm well aware that if my laptop is stolen, so is that key. But the point of it is not to protect the laptop from the outside; that's why my drive is encrypted.
The point of that particular Yubikey is to secure passwords and authenticate to some websites, all of which requires either a PIN or more passwords, even after breaking the encryption of the drive itself.
Then there's the fact that, if you steal my laptop, you're probably looking to sell it for cash. That is to say, threat models matter. If your a journalist in a hostile country, maybe other steps should be taken. But most of us here on a site called Hacker News aren't under such threats, romantic as they may be.
That implies people leave it plugged in, which is not advisable. Also ignores the fact that these keys have certain phishing protections. 2fa will fail when you're on a cloned phishing page, so you can't enter your totp code in a fake site. I use mine ALONGSIDE a traditional encrypted pw manager
I have one Yubikey tucked away at home, and another at my mothers a few hunder kilometres away; these are „last resort“ keys to my core accounts. For daily usage, I rely on iCloud Keychain with FaceID/TouchID and encrypted file systems on my devices. I’m pretty confident in this setup: You’d need to steal my laptop and my phone, get my fingerprint or face, or my password; yet you still can’t lock me out entirely, and chances are if I’m robbed, I’m going to reset everything right away.
> Nobody seems to reflect that if you physically steal the laptop, guess what, the usb key that's still in there was also stolen.
Not in how I use it. I only connect my yubikey when I need it (rarely at that).
> right? Right?
Just generally don't do this. It comes of as unnecessarily aggressive. Instead you could say "Do use USB locks on your laptop, because ....". The "right? Right?" is not making your point more persuasive.
> Because if not then all that added layer of secure feelings is pointless from an operational security perspectiv
You are assuming all kind of things about the threat environment and the concerns the person has.
> Just generally don't do this. It comes of as unnecessarily aggressive. Instead you could say "Do use USB locks on your laptop, because ....". The "right? Right?" is not making your point more persuasive.
I don't see it that way, but happy to be corrected. Please tell me which part do you feel is unnecessarily aggressive? Just the general concept of asking someone to communicate differently, or a particular part of my message?
> The attack surface of yubikey vs a laptop you carry around is interesting.
If you use the term "Yubikey" to describe the simplest model of Yubikey and not as a generic term to describe these security keys. Both Yubikey and their competitors are offering more advanced models: models which aren't simply unlocked by a tap on the device.
Then the attack surface compared to a laptop you carry around certainly becomes very interesting.
The security key I use most (I've got several models) have their own tiny screen and are protected by a PIN and won't work anymore after three wrong PINs (and let's not shift the goalpost by discussing what happens if you forget your PIN, that's another subject).
A friend of mine and his colleagues, sysadmins at a major ISP, all use "OnlyKey". They're protected by a PIN too (no screen but six digits on the security key). One PIN to register the security key, another PIN to auth.
Then there are security keys, including Yubikeys, only unlocked by fingerprints: now we're talking about Ethan Hawke stealing your laptop, your security key and recreating your fingerprints from a glass he stole at the bar (it's not impossible, but we're very far from "we stole your laptop while the session was unlocked").
> like a rubberducky or teensy flashed with some malware installing HID emulator.
Wait, what would a teensy used for nefarious purposes do here? You can't sniff what's inside the Yubikey. It's kinda the whole point: it's a challenge/response only answered by knowing a secret protected by the HSM on the Yubikey. There's nothing to sniff. If you didn't intercept and modify the key while the person registered on a service, you'll never be able to auth without unlocking the actual key which was used to register to the service. You may be able to sniff and relay the auth but you'd still not be able to extract the secret out of the security key.
> Because if not then all that added layer of secure feelings is pointless from an operational security perspective
I don't know: all the big security hacks we saw recently would all been stopped cold dead in their tracks had U2F/webauthn been used (like the, supposedly, Plex related on where one dev had a years old, compromised, version of Plex which was used to exploit his home computer, which then allowed to get inside the company's network for all was needed to log in to the company's network was to sniff a password).
Google reports there have been zero break ins since years, since when they moved all their employees to mandatory U2F (then switched to webauthn and I take it now to passkeys?).
I'm overall confused by your comment... What kind of attacks are you exactly talking about? Someone stealing your laptop then installing a teensy in your laptop and putting the laptop back in place, without you noticing? Or just someone stealing your laptop while the Yubikey is in it?
Are you actually saying that because some Yubikey aren't protected by a PIN and because some people leave this model of Yubikey in their laptop at all times, all security keys don't offer any additional protection compared to a laptop being stolen?
If keylogger is what you're defending from, yes, it doesn't help. And in this scenario you've probably already lost.
On the other hand, it makes a large portion of the password immune to video-recording you typing the password in. Yes, it's technically trivial to then steal your Yubikey, extract the static password and combine it with the recorded one, but these are still quite some extra steps.
My point is, if a particular service or application doesn't support anything more refined, using a static password as a pepper[0] is perfectly fine and still an improvement over not doing so.
[0] https://en.wikipedia.org/wiki/Pepper_(cryptography)