I saw my friend Chris tweet this question yesterday and had to respond:
Yubikeys are awesome. Not supported everywhere. I use them where I can
— Fred Wilson (@fredwilson) January 15, 2018
Nick helped me get Yubikeys set up on all of the services I use that support them in the past few weeks. If I had a new year’s resolution, which I don’t, it would have been to start to use Yubikeys.
So what are Yubikeys?
They are a brand of “security keys” that are supported in the two factor authentication offerings at Google and many other Internet services.
They look like this:
The idea is you keep one with you and one in a safe place in your office or home or a bank safe deposit box.
If you lose your phone, you have a Yubikey to get you back into the service.
But I don’t only use Yubikeys as “backup codes”, which I also keep stored safely.
I have started using my Yubikeys instead of a Google Authenticator code. It can be easier if you have the Yubikey handy.
But whatever you do, don’t use SMS for two-factor codes.
I was hacked this summer and the attacker tried (unsuccessfully thankfully) to port my phone number.
My partner Albert recently experienced a similar attack. He wrote about it here.
So here is the best practice as I see it:
- Always use two-factor authentication if it is offered. And it is almost always offered on popular services.
- Don’t use text messaging to deliver two-factor codes. It is not safe. You can have your number ported way too easily.
- Use Google Authenticator to deliver two-factor codes onto your phone.
- Use a Yubikey as a backup in case your phone is lost, stolen, or dropped in a swimming pool or toilet.
- Print out the backup codes to the two-factor services and put them in a safe place.
Personal data security is a big deal. Trust me on this. Don’t let yourself get hacked to understand why.
And Yubikeys are a nice addition to the personal security mix. I like them a lot.
#confused.so yubikey can generate auth codes simultaneously with google auth? so it’s not an either/or situation? you can run both and just use whichever is easier at the time?[i didn’t know you could tap to auth, so i dig the time/friction saving aspect]re: backup codes, point is this doesn’t replace them, it’s just another alternative as you are running 2 authing devices so have built in failover, without having to resort to backup codes – am i right?if so, very helpful tool – they do a bad job of explaining their use-cases specifically for existing google auth users.
Did I do any better?
Truth be told I read your post a couple of times and had to cross reference on their site to fully understand how it interacts with Google auth and backups. Still not sure I do fully. But will get there.
Yubikey explains here: https://www.yubico.com/supp…Yubikey + Google does not increase the attack surface. One simply sets an app to use Google Auth as your second factor and Yubikey can auth through that. You could also use the Yubikey authenticator, where available (Amazon, Dropbox, etc.).After years working in security for government clients, who have had hardware keys since 9/11, I’m glad to see a consumer product gain traction. Any opinion of Duo? They have been on a tear.
Yikes, I’ve been working to get some of the older americans in my life onto a password manager, and actually using it — even with your explanation, this service would definitely be a bridge too far for them. (And I might guess, many other normals.)
I didn’t get how they work. Maybe some scenario examples?If someone tries to hack my phone, a Yubikey stops them by………?Or,A Yubikey works by requiring……..
One of my all-time favorites. “The Bobs”
tool of survival :)I added one of those dinky USB C keys to my armoury over Christmas. The only caveat is that apparently it’s not open source, unlike the earlier USB A form factor keys. Not sure why Yubi decided to go that way. The history of Crypto AG may point to one of several possible reasons (although I have no direct knowledge of any dark or covert influence), but from other historical and contemporary cases of backdooring it seems not unreasonable to scrutinise with a critical eye any digital security company’s products and services.
I have punted on the Yubikey bandwagon since it is not fully supported on iOS and I use my iPhone and iPad so much. That being said I’m a big fan of using 1Password for one-time passwords.
not using SMS is a tattoo.what about for example Gmail where Google offers alternative ways to sign in (alternatives to Yubi and GA when something goes wrong with those options), one of those alternatives is to receive a mobile phone call and get a one time code from a ‘voice’. that’s just as bad as SMS, right?Doesn’t it narrow down the list of suspects when a hacker first needs to know your (and Albert’s) mobile phone number. Perhaps it’s best to have a separate phone dedicated to signing in to these sort of accounts, a number never given out.I like the look of Copperhead OS, if it can get its act together in 2018.p.s. I just received an email from the chuckle factory. they’re having issues with a raw materials supplier. chuckles may be in short supply for a while. grin and bare/ bear (can’t remember which one) it for as long as possible.
The separate phone number seems to be key.
it does seem to isolate the essential piece of information required to switch a SIM, unless it’s an inside job at the mobile network.a dedicated SIM that is kept in a safe place (not in a phone) and used only when needed seems to be a solid strategy to avoid switch hacking.
Yep, see my post below.
Don’t like the idea of depending on a USB hw in the era of mobile…feels like being locked out
I am still amazed that my bank and brokerage do NOT have any kind of two factor authentication. Scary as heck. I am more protected on Twitter/Coinbase etc than I am with my actual cash
fiat as we know it is not the future 🙂
Then your banks are technically breaking the law. Two-factor authentication was required many years ago. https://www.schneier.com/bl…Like almost all banks, they probably just do a crappy job. (JPM is terrible).
Do your banks do it? Neither of mine do.
They offer it as an option. But it is very difficult to use.I’ll give you an example of just how crappy Chase security really is. For their online banking you cannot use special characters in the password (%$#, etc). This is the single most important control in cyber security and they do not support it on the public web site. Someone should be fired. I am always amazed.I am not 100% confident that coinbase has their stuff together either. But that is another story.
David,I have great respect for you and thoroughly enjoyed “Information Protection Made Easy.” Thanks for everything you do for the security community. Two short comments:NIST does not recommend increasing complexity via special characters anymore: https://pages.nist.gov/800-…Also, banks without 2FA are not technically “breaking the law.” The FFIEC issues guidance that is their best interpretation of the law. A violation of a regulation would be potentially illegal, subject to a court ruling. As far as I know, no court has yet ruled on this issue. Still, it is clearly a best practice.Warmly,Rob
Nicely done! Certainly not expecting this level of response.RE: NIST – That might be true, but not even allowing special characters does not seem like a reasonable control. As far as I am aware, this new development regarding “memorized secrets” has not trickled into the regulatory frameworks.Re: FFIEC – Again you are correct. I was trying to simplify. But point well taken. The whole level of indirection between GLBA and the various banking authorities is truly confusing. (At least to me!)
Thanks for the reply. You’re absolutely right on both counts, especially the amount of confusion and regulatory uncertainty in the market. If you’re in the New York area anytime, I would be grateful for the opportunity to get coffee. I’ll reach out to your work email.
Right on. Hopefully I will be there this Spring to help a large bank redo their stuff.
Both my CDN & US banks do it.
.Really? I am of the opinion this has been the law for 10 years. I may be wrong.Also, brokerage and bank accounts are insured. The tiniest bit of structuring can create a large umbrella of protection.JLMwww.ghemusingsofthebigredca… m
Two factor authentication linked to your mobile phone number is super problematic
Hmm. Coinbase uses SMS-based two factor authentication. And they are probably now the largest store of liquid digital currency in the world. Isn’t one of the other USV portfolio companies working on a cryto-based ID? To me that is a much more scale-able solution that physical tokens.
Yep, I have strong reason to believe that the AVC community is under attack as bitcoin holders. Do not use SMS as two factor Autehtication. My phone number was ported a few months ago. It took T-Mobile two weeks to get my number back. And it was ported to metroPcs (a T-Mobile company). The porting was done in another state with nothing more than than my T-Mobile acct number (possibly an inside job).It was a nightmare, T-Mobile at its highest level was unprepared. And in most cases, has the number been ported to a thief who challenged the port as legitimate, my only recourse would have been the courts.
That was my question. Were Fred and Albert specifically targeted? Or was it just random or due to their traveling abroad?
There is no question that the target of unauthorized porting is Banking and Bitcoin accounts.
targeted BECAUSE they were abroad. i think Fred was half way up a volcano at the time.
Interesting, but I was not traveling at the time.
do you blog?
No, other than avc’s and feld’s blog, I do not participate in online discussions.
You did a good job of explaining it. One issue that I have with yubikey is that when using the google authenticator app someone needs to break into your phone and run the app (and know your password and username etc). So there is a barrier to the authentication. And by the way the google app is much easier to use than authenticator. Plus you can run it on more than one phone. You can do that with authenticator but it requires a hack to synchronize the two devices.When using the ubikey they don’t. They just need the ubikey which is hanging off, say, your key chain. Further they can even see that you are using a ubikey. The ubikey looks like what it is. There should be an easy way to disguise it so it’s not so obvious and doesn’t scream ‘I use a yubikey’.So I agree with this:Use a Yubikey as a backup in case your phone is lost, stolen, or dropped in a swimming pool or toilet.However I don’t think the key should be anywhere (visible to third parties) but then again it needs to be handy when you are traveling etc. Yubi’s marketing which requires to much thought to determine exactly which key to buy. It fails the puny brain test. Easily.https://www.yubico.com/prod…The amazon store is a bit better since there aren’t as many things to think about:https://www.amazon.com/stor…
Thanks for the suggestion Fred, definitely going to check these out now that the majority of my net worth is made of magic internet money 🙂
If you request your service provider not port your number, and they acquiesce, isn’t that a good solution? Still beholden to your provider but this nips it at the source, assuming you have faith they can actually handle properly. Anyone experience probs after a “do not port” request?
It was because of a post a few years back that I made 1password the center of pieces of my online security.This just makes sense and will add this to the mix.
CONTRIBUTORS:It would be naive of anyone online who has a view not popular to think attempts and even outright hacks haven’t or will occur if you continue any online presence.We purchased a dedicated device just for the one social medium we visit (USV). We experienced a situation and just changed credentials on new device and threw the old device away. We could assume the source but who cares. We all have the ability to logoff permanently. This is a choice and not life or death at least for our group. (Should ask)We enjoy how James Bond conducted his banking. (Vespa)Captain Obvious!#UNEQUIVOCALLYUNAPOLOGETICALLYINDEPENDENT
Servicey! I’m embarrassed to say I’ve been using some combo of SMS and Authenticator, and now it’s blindingly obvious why the former would be problematic, so just ordered.
Love Yubikeys. Have you seen Krypton (krypt.co)? Startup out of MIT that built mobile software to securely hold SSH + PGP private keys. Not for authentication (yet), but I could see them expanding to that use case down the road.