Yubikeys

I saw my friend Chris tweet this question yesterday and had to respond:

Nick helped me get Yubikeys set up on all of the services I use that support them in the past few weeks. If I had a new year’s resolution, which I don’t, it would have been to start to use Yubikeys.

So what are Yubikeys?

They are a brand of “security keys” that are supported in the two factor authentication offerings at Google and many other Internet services.

They look like this:

You can buy Yubikeys here.

The idea is you keep one with you and one in a safe place in your office or home or a bank safe deposit box.

If you lose your phone, you have a Yubikey to get you back into the service.

But I don’t only use Yubikeys as “backup codes”, which I also keep stored safely.

I have started using my Yubikeys instead of a Google Authenticator code. It can be easier if you have the Yubikey handy.

But whatever you do, don’t use SMS for two-factor codes.

I was hacked this summer and the attacker tried (unsuccessfully thankfully) to port my phone number.

My partner Albert recently experienced a similar attack. He wrote about it here.

So here is the best practice as I see it:

  1. Always use two-factor authentication if it is offered. And it is almost always offered on popular services.
  2. Don’t use text messaging to deliver two-factor codes. It is not safe. You can have your number ported way too easily.
  3. Use Google Authenticator to deliver two-factor codes onto your phone.
  4. Use a Yubikey as a backup in case your phone is lost, stolen, or dropped in a swimming pool or toilet.
  5. Print out the backup codes to the two-factor services and put them in a safe place.

Personal data security is a big deal. Trust me on this. Don’t let yourself get hacked to understand why.

And Yubikeys are a nice addition to the personal security mix. I like them a lot.

#personal security

Comments (Archived):

  1. LIAD

    #confused.so yubikey can generate auth codes simultaneously with google auth? so it’s not an either/or situation? you can run both and just use whichever is easier at the time?[i didn’t know you could tap to auth, so i dig the time/friction saving aspect]re: backup codes, point is this doesn’t replace them, it’s just another alternative as you are running 2 authing devices so have built in failover, without having to resort to backup codes – am i right?if so, very helpful tool – they do a bad job of explaining their use-cases specifically for existing google auth users.

    1. fredwilson

      Did I do any better?

      1. LIAD

        Truth be told I read your post a couple of times and had to cross reference on their site to fully understand how it interacts with Google auth and backups. Still not sure I do fully. But will get there.

        1. Rob Terrin

          Yubikey explains here: https://www.yubico.com/supp…Yubikey + Google does not increase the attack surface. One simply sets an app to use Google Auth as your second factor and Yubikey can auth through that. You could also use the Yubikey authenticator, where available (Amazon, Dropbox, etc.).After years working in security for government clients, who have had hardware keys since 9/11, I’m glad to see a consumer product gain traction. Any opinion of Duo? They have been on a tear.

      2. Anne Libby

        Yikes, I’ve been working to get some of the older americans in my life onto a password manager, and actually using it — even with your explanation, this service would definitely be a bridge too far for them. (And I might guess, many other normals.)

      3. JamesHRH

        I didn’t get how they work. Maybe some scenario examples?If someone tries to hack my phone, a Yubikey stops them by………?Or,A Yubikey works by requiring……..

      1. DJL

        One of my all-time favorites. “The Bobs”

  2. jason wright

    tool of survival :)I added one of those dinky USB C keys to my armoury over Christmas. The only caveat is that apparently it’s not open source, unlike the earlier USB A form factor keys. Not sure why Yubi decided to go that way. The history of Crypto AG may point to one of several possible reasons (although I have no direct knowledge of any dark or covert influence), but from other historical and contemporary cases of backdooring it seems not unreasonable to scrutinise with a critical eye any digital security company’s products and services.

  3. Matt Zagaja

    I have punted on the Yubikey bandwagon since it is not fully supported on iOS and I use my iPhone and iPad so much. That being said I’m a big fan of using 1Password for one-time passwords.

  4. jason wright

    not using SMS is a tattoo.what about for example Gmail where Google offers alternative ways to sign in (alternatives to Yubi and GA when something goes wrong with those options), one of those alternatives is to receive a mobile phone call and get a one time code from a ‘voice’. that’s just as bad as SMS, right?Doesn’t it narrow down the list of suspects when a hacker first needs to know your (and Albert’s) mobile phone number. Perhaps it’s best to have a separate phone dedicated to signing in to these sort of accounts, a number never given out.I like the look of Copperhead OS, if it can get its act together in 2018.p.s. I just received an email from the chuckle factory. they’re having issues with a raw materials supplier. chuckles may be in short supply for a while. grin and bare/ bear (can’t remember which one) it for as long as possible.

    1. Anne Libby

      The separate phone number seems to be key.

      1. jason wright

        it does seem to isolate the essential piece of information required to switch a SIM, unless it’s an inside job at the mobile network.a dedicated SIM that is kept in a safe place (not in a phone) and used only when needed seems to be a solid strategy to avoid switch hacking.

      2. Richard

        Yep, see my post below.

  5. OurielOhayon

    Don’t like the idea of depending on a USB hw in the era of mobile…feels like being locked out

  6. Alan Warms

    I am still amazed that my bank and brokerage do NOT have any kind of two factor authentication. Scary as heck. I am more protected on Twitter/Coinbase etc than I am with my actual cash

    1. jason wright

      fiat as we know it is not the future 🙂

    2. DJL

      Then your banks are technically breaking the law. Two-factor authentication was required many years ago. https://www.schneier.com/bl…Like almost all banks, they probably just do a crappy job. (JPM is terrible).

      1. Alan Warms

        Do your banks do it? Neither of mine do.

        1. DJL

          They offer it as an option. But it is very difficult to use.I’ll give you an example of just how crappy Chase security really is. For their online banking you cannot use special characters in the password (%$#, etc). This is the single most important control in cyber security and they do not support it on the public web site. Someone should be fired. I am always amazed.I am not 100% confident that coinbase has their stuff together either. But that is another story.

          1. Rob Terrin

            David,I have great respect for you and thoroughly enjoyed “Information Protection Made Easy.” Thanks for everything you do for the security community. Two short comments:NIST does not recommend increasing complexity via special characters anymore: https://pages.nist.gov/800-…Also, banks without 2FA are not technically “breaking the law.” The FFIEC issues guidance that is their best interpretation of the law. A violation of a regulation would be potentially illegal, subject to a court ruling. As far as I know, no court has yet ruled on this issue. Still, it is clearly a best practice.Warmly,Rob

          2. DJL

            Nicely done! Certainly not expecting this level of response.RE: NIST – That might be true, but not even allowing special characters does not seem like a reasonable control. As far as I am aware, this new development regarding “memorized secrets” has not trickled into the regulatory frameworks.Re: FFIEC – Again you are correct. I was trying to simplify. But point well taken. The whole level of indirection between GLBA and the various banking authorities is truly confusing. (At least to me!)

          3. Rob Terrin

            Thanks for the reply. You’re absolutely right on both counts, especially the amount of confusion and regulatory uncertainty in the market. If you’re in the New York area anytime, I would be grateful for the opportunity to get coffee. I’ll reach out to your work email.

          4. DJL

            Right on. Hopefully I will be there this Spring to help a large bank redo their stuff.

        2. JamesHRH

          Both my CDN & US banks do it.

    3. sigmaalgebra

      I use Key Bank. They DO have two factor authentication, they insist that it be used occasionally, it’s easy to use, and I use it.Key Bank has a very active and energetic team working and working, redesigning their Web pages all the time. They seem to have some graphic artists and some touchy-feely artsy types eager for some elusive emotional “user experience”. For me, their efforts mean that each time I connect once again I have to click and click and click to discover again how to do the basic operations While I do this, they show lots of really pretty pictures of families, houses, vacations, new cars, etc. Some of what a user has to do is really obscure: So, on a screen, often it’s not clear what to do to execute the next operation, and often the answer is to click on something on the screen that is tough to guess would be a link. E.g., maybe to check on the recent transactions on an account, get the account balance to show and then click on the number shown or some such. Whatever the answer is, they keep changing it. For a while, their JavaScript code detected if a user typed in their password or just did a paste in from the system clipboard operation. They rejected the paste in operation. Bummer — my password is long and obscure, and trying to type the thing into their one line password text box where I can’t see what I’ve actually typed risks mistyping the password too many times and getting blocked out of my account — BUMMER! Well, soon they fixed that mistake and went back to accepting passwords entered with a paste operation.But, they do try hard. And they do have two factor authentication and do well with it.Heck, if I log into Amazon from a different computer or IP address, then they send me an e-mail with a code I copy, paste, and send back to them to confirm It’s still me. Since my computer failure and new computer last week, I need to finish getting Microsoft Office and Outlook configured so that I can shop at Amazon again!Maybe some of the big, famous NYC banks are easier to work with if you have a balance over $100 million!!!!! But, gee, doesn’t everyone????? Gee, I never had any trouble working with JPM!!!!

    4. JLM

      .Really? I am of the opinion this has been the law for 10 years. I may be wrong.Also, brokerage and bank accounts are insured. The tiniest bit of structuring can create a large umbrella of protection.JLMwww.ghemusingsofthebigredca… m

      1. Richard

        Two factor authentication linked to your mobile phone number is super problematic

  7. DJL

    Hmm. Coinbase uses SMS-based two factor authentication. And they are probably now the largest store of liquid digital currency in the world. Isn’t one of the other USV portfolio companies working on a cryto-based ID? To me that is a much more scale-able solution that physical tokens.

  8. Richard

    Yep, I have strong reason to believe that the AVC community is under attack as bitcoin holders. Do not use SMS as two factor Autehtication. My phone number was ported a few months ago. It took T-Mobile two weeks to get my number back. And it was ported to metroPcs (a T-Mobile company). The porting was done in another state with nothing more than than my T-Mobile acct number (possibly an inside job).It was a nightmare, T-Mobile at its highest level was unprepared. And in most cases, has the number been ported to a thief who challenged the port as legitimate, my only recourse would have been the courts.

    1. jimmydddd

      That was my question. Were Fred and Albert specifically targeted? Or was it just random or due to their traveling abroad?

      1. Richard

        There is no question that the target of unauthorized porting is Banking and Bitcoin accounts.

      2. jason wright

        targeted BECAUSE they were abroad. i think Fred was half way up a volcano at the time.

        1. Richard

          Interesting, but I was not traveling at the time.

          1. jason wright

            do you blog?

          2. Richard

            No, other than avc’s and feld’s blog, I do not participate in online discussions.

  9. LE

    You did a good job of explaining it. [1]One issue that I have with yubikey is that when using the google authenticator app someone needs to break into your phone and run the app (and know your password and username etc). So there is a barrier to the authentication. And by the way the google app is much easier to use than authenticator. Plus you can run it on more than one phone. You can do that with authenticator but it requires a hack to synchronize the two devices.When using the ubikey they don’t. They just need the ubikey which is hanging off, say, your key chain. Further they can even see that you are using a ubikey. The ubikey looks like what it is. There should be an easy way to disguise it so it’s not so obvious and doesn’t scream ‘I use a yubikey’.So I agree with this:Use a Yubikey as a backup in case your phone is lost, stolen, or dropped in a swimming pool or toilet.However I don’t think the key should be anywhere (visible to third parties) but then again it needs to be handy when you are traveling etc.[1] Yubi’s marketing which requires to much thought to determine exactly which key to buy. It fails the puny brain test. Easily.https://www.yubico.com/prod…The amazon store is a bit better since there aren’t as many things to think about:https://www.amazon.com/stor

  10. mplsvbhvr

    Thanks for the suggestion Fred, definitely going to check these out now that the majority of my net worth is made of magic internet money 🙂

  11. Salt Shaker

    If you request your service provider not port your number, and they acquiesce, isn’t that a good solution? Still beholden to your provider but this nips it at the source, assuming you have faith they can actually handle properly. Anyone experience probs after a “do not port” request?

  12. awaldstein

    It was because of a post a few years back that I made 1password the center of pieces of my online security.This just makes sense and will add this to the mix.

  13. creative group

    CONTRIBUTORS:It would be naive of anyone online who has a view not popular to think attempts and even outright hacks haven’t or will occur if you continue any online presence.We purchased a dedicated device just for the one social medium we visit (USV). We experienced a situation and just changed credentials on new device and threw the old device away. We could assume the source but who cares. We all have the ability to logoff permanently. This is a choice and not life or death at least for our group. (Should ask)We enjoy how James Bond conducted his banking. (Vespa)Captain Obvious!#UNEQUIVOCALLYUNAPOLOGETICALLYINDEPENDENT

  14. Elizabeth Spiers

    Servicey! I’m embarrassed to say I’ve been using some combo of SMS and Authenticator, and now it’s blindingly obvious why the former would be problematic, so just ordered.

  15. sfsf

    sfsf

  16. MorganPolotan

    Love Yubikeys. Have you seen Krypton (krypt.co)? Startup out of MIT that built mobile software to securely hold SSH + PGP private keys. Not for authentication (yet), but I could see them expanding to that use case down the road.