About 10 years ago I was working on a project for Procter & Gamble that required me to have remote access to their computer system. To gain access, I not only had to provide a password, but also a six-digit number displayed by a Secure ID key fob. The displayed number changed every minute, preventing anyone gaining access without physical access to the key fob. It was a bit like magic to me back then.
In 2016 many Internet services offer the option to require a second piece of information besides the password for a successful authentication. Fittingly, the process is called two-factor authentication.
There is one big shortcoming of the username/password authentication scheme. Anyone in the world that knows that combination for an account can gain access to it. At times, that access to a site is gained indirectly by an intrusion into a less secure site where people have reused the username and password. That is not only a problem for the individuals, but also a public relations nightmare for the company whose site got compromised through no fault of their own; a site that might rely on the perception of security for their business model. Dropbox is one of those companies that had to explain in a blog post how the rumors of their site being hacked were not true.
To minimize these incidents, many of the big players in the industry —Apple, Google, Amazon, Dropbox, to name a few— have started offering two-factor authentication procedures for account holders.
The basic idea is to strengthen the authentication process by requiring something you know (the password) plus something you have (the second factor). The latter can be a smartphone or a device manufactured to serve as a second factor authentication device. The Secure ID that Procter & Gamble provided to me was such a device. A cell phone, either through its ability to receive a code via text message, or through a third party application —with the Google Authenticator as one of the better know application— makes a good second factor authentication device.
All these solutions work, but they add a reasonable amount of complexity to the process, starting with the need to locate the cell phone —not everyone has their phone on them all the time— unlock it, start the app, type in the code.1 So, while I personally have been using Authy as a second factor solution for a while, I did not set it up for my wife: security measures that are too hard to use will be avoided and/or circumvented, defeating the purpose of the process.
This brings us to the YubiKey, the device this post is all about. It is another example of a second factor authentication device, developed by Yubico. Its main appeal is the simplification of the authentication process to the point where significant security is added with minimal additional hassle.
In its simplest form a YubiKey is a touch sensitive device that sits in a USB slot of the computer, pretending to be a keyboard. The picture to the left shows a Yubikey inserted into a USB slot on my laptop. It almost disappears, barely visible by its green indicator light. But other form factors exist, as shown in the first picture on this page.
When an internet service asks for the second form of authentication, all that is required from the user is to touch the Yubikey. Thanks to its integration into the computer as a keyboard, it will then “type” a unique string for you into the appropriate input field. That string changes every time, making it a one time password that can’t be reused and thus requires anyone who wants access to the account to own this specific Yubikey.2
The Yubikey used in this manner replaces the Google Authenticator or text messages on a phone as the method for authentication with a second factor. Yubico has a nice summary, comparing security, usability and cost of the Yubikey with that offered by a phone. You want to look at the column labeled OTP (one time password) and Phone.
The one time password functionality is only one of the many functions offered by a YubiKey . For the geeks among us it offers to store a pgp private key, and it can act as a PIV-compliant smart card. If you are interested in that, there are various websites (e.g., here or here that have more details).
For the rest of us, there are two additional aspects of the YubiKey that I think are worth mentioning. The first one is its ability to store a static password. But to explain why this is useful let me to back up a little.
If you are reading this, you probably already use a password manager to store unique passwords for each Internet service you use, guaranteeing that each of those passwords is long and impossible to memorize. If not, you really should, and I recommend LastPass, as it supports the Yubikey. Whatever you use, one problem remains: how do you pick a password for the password manager itself? It is the one password that grants access to all other passwords, thus should be the most secure. Yet, it is also the one that you have to enter every single time to open the password vault, so preferably it should be something that is easy to remember. The Yubikey’s ability to store a static password can help.
When making use of that functionality the complete password should not be stored on the Yubikey. Otherwise the Yubikey would be the only thing someone needed to gain access to the password manager; the second factor would be gone. So, the basic idea is to split a long password into two parts. A first part that can be remembered, unknown to anyone else —maybe 6 to 8 characters long— and a second part that is longer and gibberish, stored in the Yubikey as a static password. Access to your password manager’s vault requires both pieces. This scheme makes it impossible for someone that got access to the encrypted vault to decrypt it with brute force, eliminating any worries when synchronizing the password vault through third party cloud services that run the risk of being compromised. Problem solved!
The Yubikey’s one time password generator is a big step forward in securing the authentication process. But one flaw remains, which it shares with almost all two-factor authentication methods: its vulnerability to phishing attacks.
A phishing attack requires a user to click on a malicious link, most likely sent to him via email. The email is constructed to lead the user to believe that the link will direct him to a service that he uses (gmail, dropbox etc.), when in fact he will be redirected to a website that looks identical to the site he expects to see, but is controlled by a malicious attacker. As soon as the user enters his credentials, then enters the one time password that was generated by the Yubikey, Google Authenticator or was sent to him as a text message, the attacker can turn around and quickly enter the collected information into the actual service login page, together with the one time password. Boom, account compromised.
To eliminate the problem U2F was developed. Without getting too technical, the basic idea is to include the site’s identity into the process. The site will hold the public key of a private/public key pair and a key handle that was generated just for that site by the Yubikey. Someone that puts up a phishing site won’t have the key handle, and thus cannot initiate the challenge/response process required for the Yubikey to engage. In other words, the Yubikey does not recognize the phishing site and will simply not respond. The attacker running the phishing site never gets the credentials needed to successfully authenticate as the legit user.
With U2F available, the only thing left is for the sites holding important information to stop giving out passwords to hackers. I’m looking at you, PayPal.
Good question. I mentioned my password manager of choice: LastPass. There are a few other password manager that accept a YubiKey as a second factor for authentication3. Next are some well known online services, with Google as arguable the best known. Google announced support of U2F in October 2014. Dropbox followed suit about a year later. Around the same time GitHub jumped on the U2F bandwagon as well.
The services listed are those with the biggest impact; not only are they well known, but also support U2F. There are many more that take advantage of the one time password capabilities of the Yubikey, listed on Yubico’s website.
As an aside, it is interesting to point out that a fingerprint is not something that is very useful as a second factor. If you were an unlucky participant in the data breach where hackers stole the fingerprints of 5.6 million people on file with the US government, your fingerprints are not yours alone anymore. At this point it is game over. You can’t revoke your old fingerprints and get a new set, as you can with devices made for two-factor authentication. Anyone relying on authentication based on your fingerprints —or any other biometrics, really— can never be sure it is really you authenticating. Biometrics are unique, but not a secret.
I do understand that most services allow to trust a device so that entering the second factor authentication code every time is not needed. However, that is not a solution for the non-geeks. It could lock them out of their account should a re-authentication become necessary. Simply because using these methods requires practice, and the practice is lost if devices are trusted. ↩
Each Yubikey emits different passwords; they are not interchangeable without first synchronizing them with the account. ↩
In my opinion, the benefit of a second factor authentication device is questionable for the file based password managers listed. Attacking those will be a brute force attack on the encrypted file, circumventing any second factor authentication. A second factor is useful when a user has to authenticate to a third party before he is granted access to a remote service or data set. ↩