Dec 5, 2017| Paddy Steed
If you’re amassing a plethora of user accounts that require two-factor authentication (2FA) and let’s face it, you should, then you’ll be pleased to learn how you can use a USB Yubikey to avoid having to type in as many one-time-passwords (OTPs).
This post is part of a series on using Yubikeys to secure development whilst pair-programming on shared machines.
Traditional OTPs protect against password reuse, weak passwords and credential leakage.
A user’s login procedure using a traditional OTP is usually something like this:
Enabling 2FA on your online accounts is a huge improvement on using static passwords alone. However, it makes the most common form of account compromise only marginally more difficult.
According to research by Google, phishing is by far the most common way for an online account to be compromised. Phishing attacks were responsible for John Podesta’s email getting hacked. They were responsible for Hillary Clinton’s campaign emails being hacked. Even if you are a Republican you are still not safe, as Sarah Palin’s email account was hacked via a phishing attack.
Despite what the victims will tell you, these attacks are not sophisticated and they don’t require “state sponsorship”. The industry standard advice seems to be to train staff to recognise phishing attacks. This is expensive and companies that do this still get phished.
If the user is tricked into entering their login details on a phishing site then OTP 2FA does no good. They will have given their password and OTP to the phishing site, which can then forward that on to the real site and impersonate the user. The only frustration OTPs provide to an attacker attempting this is they have a short window to forward those credentials before the OTP is expired. In practice this is not an issue as the easiest way of phishing a site is setting up a reverse proxy to it, in which case the credentials are forwarded in real time.
The FIDO Universal 2nd Factor (U2F) standard for simplifying 2FA uses hardware devices that eliminates the possibility of phishing, with no user training required.
When using a certified U2F device, a user’s experience goes like this:
A lot happens when that device is pressed. The U2F device signs a message containing a random string from the server, the server’s address from the browser’s perspective, and some other things. The browser then forwards that signature to the server.
Your Yubikey is also a U2F device. An increasing number of sites support U2F. This is the most user-friendly way to use a Yubikey as your 2FA device. The latest versions of Chrome, Opera and Firefox support U2F. However, in Firefox it is not enabled by default, and you must enable the following options in the about:config page:
Setting up GitHub to recognise your Yubikey is really simple:
Thankfully, you can use the Yubico Authenticator app to generate TOTP tokens from the secrets on your Yubikey. You can store up to 32 different TOTP accounts on your Yubikey. Nothing is stored on the computer you use. You can insert your Yubikey into any machine with the Yubico Authenticator installed, and all your TOTP tokens will be available.
Google performed a two-year study on U2F devices, which are widely deployed within Google. They found that, compared with an app-based OTP like Google Authenticator, users authenticated faster using a U2F device. U2F devices were inherently less susceptible to MitM attacks, and users raised support tickets for authentication problems far less frequently.
An increasing number of sites support U2F. It is more secure, and users are able to authenticate faster compared with any other 2FA method.
|Attack||Google Authenticator||Hardware OTP Generator||U2F|