I have long debated getting a Yubikey but have held off because I don't want to have to carry around several dongles at all times to be able to send an email.
Surely other people are in the situation of:
- iPhone, iPad
- Macbook with only USB-C ports
- Windows/Linux workstation with only USB-A ports
Is there currently a non-cumbersome solution that will work on all of these?
The way $dayjob makes this work is to issue a nano security key for each computer, and then a bluetooth security key for the iPhone (Android phones can use both NFC and Bluetooth security keys, but iPhones can only use Bluetooth security keys).
It's cumbersome, but less so than when we were plugging and unplugging our one hardware USB-A OTP token into everything (and using a desktop web browser to generate OTPs for the phones).
If you do end up getting a security key, I recommend getting at least two. If one fails, you'll want the other one as a backup so that you can get back into your accounts.
I keep an extra Yubikey in my bank box, next to my other backup keys. The only account I'd be locked out of is Twitter since they only let you add 1 token (my primary).
AWS also only allows you to add a single device, much to my annoyance. I still haven’t found a solution for that, that doesn’t involve risking getting locked out.
One answer I've seen is to create multiple users for the same person. The second user becomes the "backup" user with a different physical device and is used only to reset the primary.
At $dayjob I "solved" that problem by setting up SAML auth so we would all login via gsuite (thus using 2FA via yubikey there). After a few months I set that up we got acquired by a big company that uses RSA secureId software security tokens. The security policy mandates that you have only one active security token instance (which BTW acts as a password replacement instead of 2FA, I assume for better interop with legacy tools that only talk ldap...)
Sure, I know. Just pointing out that, at least for AWS, you do not need recovery codes or a second device for MFA. For me personally, phone+email is good enough for my threat model.
Most sites let you set up both the Yubikey and a Google auth style TOTP. I always set up both, with TOTP codes saved in KeePassXC and SFTP'd to a backup server.
If I keep one with me and one at home, then I only have to worry about leaving both at home if I’m caught in the fire. Additionally, if I can prove who I am in person, or via friends attestations or both, that’s a lot better than a forgot password form or SMS hijacking.
I tried to get mine as future-proof as possible, but I was left with a choice of either getting the Yubikey Neo with NFC or a Yubikey with USB-C.
I went with the Neo, because it supports all of my current devices, and for USB-C future testing, I tested it on my phone with an USB A-C adapter and it worked there as well. I'm a Linux/Android user without any Apple devices, though, so YMMV.
EDIT: Should also mention that I received a free basic Yubikey as a gift for subscribing to Ars Technica about a year ago. USB-to-MicroUSB and USB-to-C adapters worked on that for all of my devices, as well. I feel pretty confident switching to Yubikeys now that I have two and can keep the newish one on my keychain at all times, with the basic one in a secure place at home.
I don't think that's possible right now. Until they come up with a solution to "I've lost my 2fa token" that isn't as painful as losing you wallet there will be new designs coming out. (Actually, it's more painful. You only have a few cards in your wallet, while your 2fa token may be recognised by 100's of sites.)
This isn't a criticism of FIDO2/WebAuthn. I am impressed by how each iteration solves a new part of the problem, and FIDO2 was definitely a step forward, fixing rough edges in FIDO. But we aren't there yet. We need a FIDO3 and possibly 4, 5 and 6.
Having a backup 2FA token seems like a solution, no? As I already said, I've got a lower-end Yubikey that is basically only there to be a backup in case of emergencies.
To be honest I didn't understand your backup strategy. As far as I'm aware it isn't possible to clone a key - and I sincerely hope that's true. If you can't clone it the only other way I can think of using a backup is having every site you log into accept two so you can authenticate with either - but I've never noticed a site that can do that.
Assuming it's the "authenticate with either" solution, it ain't a great solution. If you have to replace a key you still have to visit every site you authenticate with and provide you new key. Looking at my password manager that seems to mean 100's of sites in my case.
There are lots of potential solutions to the "dog eat my token" that don't require me to visit every site I authenticate with - or even notify them. Online servers can even handle the "someone stole my token" case. Right now the only deployed online solution we have is OAuth, which really an authorisation mechanism. It sucks at for authentication.
Usually you just use multiple keys - one USB-C in the MacBook, one tiny USB-A in the laptop and the built-in Titan key in the Pixel phone. You don't remove them.
Not unless your attacker has physical access to the machine. You still have to touch the device to activate it each time.
This still mitigates the most common MITM-type attacks:
1. Attacker instigates login via fake portal.
2. Attacker fools you in to entering your 6-digit OTP.
3. Attacker intercepts your valid OTP, combines with your stolen password, logs in to real site.
This doesn’t work with a YubiKey or the equivalent because of the back-and-forward cryptographic signing. The request has to come from the website you’re logging in to, which it doesn’t in this scenario. It’s the weakness of part 2 above which we avoid here.
Well, yes, that is exactly what I'm talking about. The biggest advantage of a physical second factor is that I can see if it has been stolen: I either have it with me, or I don't.
By using multiple keys, you are effectively removing that advantage: someone could have one of your devices (e.g. your laptop while you're out for lunch) and would be able to make use of your second factor without you knowing.
Well if your primary concern is a local threat - which it absolutely is not for the vast majority of people - then you just have to be more careful with your keys. If you suspect someone might be actively trying to break in to your home, you wouldn’t leave your keys on your desk while you went to lunch.
Yep. Use FIDO2 keys to require a PIN or fingerprint to activate the key. This is why android/ios as a FIDO key is great - easy to lock, so built in two factors.
They also need to know your password though. Unless you've got your passwords written on a sticky note below your keyboard, stealing your laptop doesn't really get the attacker any further along.
That's true. But if the alternative is that people have to setup weaker fallback mechanisms (such as SMS verification) then I'm happy to pay that price.
Not really, because an attacker still needs physical access to the device. It still protects from someone with your password getting into the account (unless they have your laptop)
Which don't? For all the big major ones I've used U2F with, they've supported multiple keys for a while (or since introduction). It's practically a requirement in case you lose a key..
To name a few off the top of my head: Google, GitHub, Gitlab, Facebook, 1Password, etc.
If that's the case, it must have changed at some point. Lastpass and Duo both support multiple U2F keys, and have for at least a couple of years. I have two keys registered with Duo for login at my school and also through Lastpass's non-Duo U2F support.
This is true, and it is dangerous (once the key fails, folks get locked out). I don't use security keys with such providers.
It would be nice if someone made a library that made incorporating Webauthn login into an app as simple as using django or Ruby on Rails or React to create a login form, so folks don't end up rolling their own and assuming that a user will have at most one yubikey.
Failing that, you could do what Zeit does and rely on email providers' support for Security Keys (login by email link only).
Usually you can use a TOTP backup method (Google Authenticator or similar). But don't actually use it. Just save the key to initialize it to a secure backup which can be accessed of your Yubikey is lost.
I guess one solution is to use hardware that takes connector compatibility more seriously. I only use stuff with USB-A, and the Yubikey works with my phone via NFC (Yubico's Neo model).
Similarly, my laptop has an SD card reader and Ethernet port. My laptop and phone have 3.5mm jacks. All my small devices use micro-USB.
No dongles or adapters makes for seamless usage. I guess the only 'adapter' is keeping a micro-USB -> USB-A cable around.
Either the USB-A dongle or the USB-C one should work in all of these cases with an additional dongle (sigh).
By the way: I recommend getting the larger keys, not the nanos. These nanos look cute, but especially the newer ones are intended to be fixed to one device permanently, which in my opinion is both inconvenient and not the intended usage.
I wonder if iPad apps will start supporting Yubikeys — especially with the new iPad pros and their USB-C port it seems natural.
Ideally, I'd love to see Blink integrate ssh-agent, gpg-agent and its card support, which would let me use my existing (excellent) setup for using GPG keys stored on a Yubikey for ssh (see https://github.com/drduh/YubiKey-Guide for a great writeup of this approach).
krypton (https://krypt.co/). If you're ok with one dongle, you can get the A or C flavor of a yubikey neo and keep a converter permanently in the other devices.
so it appears, no, all reasonable solutions are quite cumbersome for the time being, for an individual who wants to use many accounts anyway. a company might be able to cook up a system that works well for its employees though.
Surely other people are in the situation of:
- iPhone, iPad
- Macbook with only USB-C ports
- Windows/Linux workstation with only USB-A ports
Is there currently a non-cumbersome solution that will work on all of these?