YubiKey

[fwafwow]

Two articles today in the WSJ about security breaches from a stolen iPhone have me thinking more broadly about what steps are reasonable, for me, in protecting "my stuff." I'm looking into the YubiKey and want to know if anyone here has gone down this rabbit holepath. I see the upside, but I'm needing some help thinking through the practical hassles.

 

[fmyth]

I use a Yubi key as security to access my crypto exchange account. If you go the Yubi key route just buy 2 upfront, register them both and put one in the safe.

 

[fwafwow]

I use a Yubi key as security to access my crypto exchange account. If you go the Yubi key route just buy 2 upfront, register them both and put one in the safe.

Thanks. I would get quite a few.

Can you select which accounts and apps require the use of the key? I am wondering how much of a pain it is for using it on gmail, all financial apps, anything that accesses personal info, etc.

 

[fmyth]

Thanks. I would get quite a few.

Can you select which accounts and apps require the use of the key? I am wondering how much of a pain it is for using it on gmail, all financial apps, anything that accesses personal info, etc.

I am only using it with my crypto exchange. Pretty sure you can register a key with multiple websites/accounts. Planning to use it for my bank accounts etc. I'm not sure if all of those websites you mentioned will be set up for using a key.

 

[wingmaster]

I read that article in the paper this morning and already thought about how to minimize attack vectors. A YubiKey wouldn't have prevented access to the phone itself because the attackers in that article simply used a passcode to gain entry to their phone. It went on to say that the attacker's activity on the victim's account sometimes required two-factor authentication via SMS, which is a complete joke since the attacker was holding their phone in the first place. Even a 2FA authentication app wouldn't have protected the victim since the attacker has the phone, and thus has access to the authentication app to generate 2FA codes.

A YubiKey has many built-in features, but one of the most useful IMO is the ability to hold many of those 2FA tokens, up to 24 I believe. If the attacker swiped your phone and was later forced to enter a 2FA code, they can't. The YubiKey has the two-factor codes, not your phone. Only by connecting your YubiKey to your phone can you generate those codes. This is one actionable solution to what I read in that article. Unfortunately, a lot of financial institutions insist on crappy SMS for 2FA, which is unconscionable.

If I had a smartphone (I don't for personal reasons), I'd use Yubico Authenticator for 2FA, and I'd ensure my password manager was also secured with a hardware token like the YubiKey. Since that article talked about the loss of treasured photos as well, I'd have my data automatically backed up to a private cloud. This is another rabbit hole, but there are stories of people who back up their data to Google Cloud who lose access to their data because Google has a very stringent process for unlocking your data if they think something you have violates their policies, so I self-host my own cloud. I realize this is beyond what normal people do, but the normal person's security setup is also so insecure it's scary.

 

[fwafwow]

Thanks @wingmaster and @fmyth. A few thoughts:

1. I'm strongly leaning towards removing all of the financial apps from my phone, as at least a couple do not have 2FA apart from SMS. I will give it another week to see how much my use of those apps is need vs. convenience. But, those accounts are in my PWM, so I've decided I need a key.
2. I'm still struggling to figure out how to guard against a change to the iPhone PW and follow-on change of the AppleID, as I'm not sure if that can be prevented with the YubiKey and if the Screen Time passcode recommendation is sufficient.
3. Great point about data backup. I have pictures on iCloud and Google, but the redundancy isn't perfect. I also backup to a Time Machine, but realize that isn't perfect either. I think Nord offers cloud storage, but welcome any info on your private cloud option (even though that might be overkill for me).
4. If I die, or I'm incapacitated, I think the backup YubiKey will make it easier for my family to access those accounts that have 2FA.

I'm pretty much set on getting ~3 of the YubiKeys, but a few things (so far) about the YubiKey are still unclear to me.

• I am finding mixed info on whether YubiKey works with NordPass.
• If I use the key to also lock down my Gmail and Google, am I going to need to use the YubiKey each time I check email on my phone (and if so, maybe that draws attention)?
• One of the WSJ comments mentioned duress, which opens up a new rabbit hole. If one has to give up a key, does having a PIN on the key mitigate that risk? I also would like PWMs and or YubiKey to have duress codes that cause at least some info to be wiped or inaccessible.
• I can't quite understand the YubiKeys (like the Nano) that are designed to be left in a device. Doesn't that defeat the purpose?

 

[fmyth]

When I login to my crypto exchange account to buy or sell crypto it asks for my login and password. If those are entered correctly it then asks me to plug in my key and "tap" it for authentication. As soon as I am logged in I disconnect the key. If I try to buy/sell or send crypto I have to insert the key and tap it again to complete the transaction. I have 2 Yubikey 5's that I keep locked up and 1 Yubikey 5C on my keychain. All 3 have been registered with my crypto exchange account. The 5C on my key chain has a USB to USBC adapter on it that allows me to use it on my computer and or Android phone. If someone obtains my key they would still need to know what account I use it for and my login and password (unique to this account). If my key were to go missing I would use one of my others to login, disable the missing key and change my password. If I did not have access to one of my other keys I would contact the exchange and have my account locked. This would secure my account but make it a real pain for me to prove my identity to regain access to my account and requires multiple steps and proof of ID.

 

[wingmaster]

Thanks @wingmaster and @fmyth. A few thoughts:

1. I'm strongly leaning towards removing all of the financial apps from my phone, as at least a couple do not have 2FA apart from SMS. I will give it another week to see how much my use of those apps is need vs. convenience. But, those accounts are in my PWM, so I've decided I need a key.
2. I'm still struggling to figure out how to guard against a change to the iPhone PW and follow-on change of the AppleID, as I'm not sure if that can be prevented with the YubiKey and if the Screen Time passcode recommendation is sufficient.
3. Great point about data backup. I have pictures on iCloud and Google, but the redundancy isn't perfect. I also backup to a Time Machine, but realize that isn't perfect either. I think Nord offers cloud storage, but welcome any info on your private cloud option (even though that might be overkill for me).
4. If I die, or I'm incapacitated, I think the backup YubiKey will make it easier for my family to access those

1 - I would probably do the same, I just asked my wife how often she uses the financial app to manage her IRA, and she couldn't remember. There's no point in letting a sensitive financial app into your inner circle that's used infrequently. I was also shocked that Apple let users access their PWM using just a passcode, that's a ridiculously lax standard for what is supposed to be your most valuable digital asset.
2 - I doubt the YubiKey can secure the actual step where the PW is changed, usually the YubiKey is used as 2FA during the login process. iCloud is listed in the YubiKey Catalog, but I'm not sure how Apple implements it.
3 - My private cloud option is self-hosting Nextcloud on a server in my house. The reason I go to this length is because I don't want any third-party verifying that my personal content meets their subjective policies. I'm sure there are other friendlier cloud options that don't require self-hosting, but I would never trust a cagey company like Google with my digital life considering their track record.
4 - My wife carries her own YubiKey, which is a backup for my accounts, and vice versa. I was able to get her onboard when she found out she can login without taking out her phone and typing in a code, lol

I'm pretty much set on getting ~3 of the YubiKeys, but a few things (so far) about the YubiKey are still unclear to me.

• I am finding mixed info on whether YubiKey works with NordPass.
• If I use the key to also lock down my Gmail and Google, am I going to need to use the YubiKey each time I check email on my phone (and if so, maybe that draws attention)?
• One of the WSJ comments mentioned duress, which opens up a new rabbit hole. If one has to give up a key, does having a PIN on the key mitigate that risk? I also would like PWMs and or YubiKey to have duress codes that cause at least some info to be wiped or inaccessible.
• I can't quite understand the YubiKeys (like the Nano) that are designed to be left in a device. Doesn't that defeat the purpose?

1 - It looks like it does based on this article. It appears to support Universal 2 Factor (U2F), where compatible websites simply ask you to touch your security key, and you're in.
2 - It never works this way on my tablet, you're only prompted for the key during the login process. If it's the type of account that stays logged in such as email, it's not going to prompt you every time. My email app on my tablet hasn't prompted me for many months (maybe a weak link that I should look into?)
3 - I've used another key before called OnlyKey that had a duress feature, but I just never found it to be in my threat scenario.
4 - I leave a Nano in my home computer because of its convenience, but would never leave it attached to a mobile device that I take around with me. If someone were to gain access to my computer for some reason, they'd still be unable to gain access to my PWM due to the complex master password I have, which happens to be the only password I need to remember. If they get access to my computer, my master password, and my YubiKey, then I'm compromised!!

 

[fwafwow]

Thanks so much for the dialogue. It helps to bounce some of my ignorant questions off of someone with knowledge, and patience. I did order 3 of the YubiKeys today, and 3 not only satisfies my paranoia about a backup to a backup, but I have iPhone 11 (needs Ligthtning), 2017 MacBook (USB-A) and 2020 MacBook (USB-C) - smh.

1 - I would probably do the same, I just asked my wife how often she uses the financial app to manage her IRA, and she couldn't remember. There's no point in letting a sensitive financial app into your inner circle that's used infrequently. I was also shocked that Apple let users access their PWM using just a passcode, that's a ridiculously lax standard for what is supposed to be your most valuable digital asset.

I think it's an easy step to delete the deposit and investment accounts, but I might leave the credit cards - but I also don't use them frequently. Yes, I manually made sure that all sensitive PWs were deleted from the Apple Keychain, and I'd love to figure out a way to mass delete almost all of the rest of them.

2 - I doubt the YubiKey can secure the actual step where the PW is changed, usually the YubiKey is used as 2FA during the login process. iCloud is listed in the YubiKey Catalog, but I'm not sure how Apple implements it.

I figured as much. I did implement the Screen Time Passcode approach recommended in the article, but it seems a bit of a hokey workaround to such a glaring opening in the iOS system, so I'm not confident it works. But after I get my keys, I will see if the iCloud can be protected.

3 - My private cloud option is self-hosting Nextcloud on a server in my house. The reason I go to this length is because I don't want any third-party verifying that my personal content meets their subjective policies. I'm sure there are other friendlier cloud options that don't require self-hosting, but I would never trust a cagey company like Google with my digital life considering their track record.

Gotcha. I may save that rabbit hole for another weekend!

4 - My wife carries her own YubiKey, which is a backup for my accounts, and vice versa. I was able to get her onboard when she found out she can login without taking out her phone and typing in a code, lol

Good plan. At this point I'm still trying to get the rest of the family to not think I'm crazy and to be on board with at least some of my precautions. For better or worse, however, they don't have the same access and exposure/risks.

1 - It looks like it does based on this article. It appears to support Universal 2 Factor (U2F), where compatible websites simply ask you to touch your security key, and you're in.

I had seen that but was confused that the NordPass app isn't listed in the YubiKey database, and some older posts online suggested that because the YubiKey didn't have a battery, you had to also use your phone. Maybe those are now out of date.

2 - It never works this way on my tablet, you're only prompted for the key during the login process. If it's the type of account that stays logged in such as email, it's not going to prompt you every time. My email app on my tablet hasn't prompted me for many months (maybe a weak link that I should look into?)

That's what I was thinking - login once and you are good to go. But if so, then if I've checked email and then lose or have my phone stolen, what good is the key? I will see if there is a way to setup Gmail (as an example) to automatically logout if the phone is put to sleep.

3 - I've used another key before called OnlyKey that had a duress feature, but I just never found it to be in my threat scenario.

Yeah, I'm probably over-thinking things.

4 - I leave a Nano in my home computer because of its convenience, but would never leave it attached to a mobile device that I take around with me. If someone were to gain access to my computer for some reason, they'd still be unable to gain access to my PWM due to the complex master password I have, which happens to be the only password I need to remember. If they get access to my computer, my master password, and my YubiKey, then I'm compromised!!

Maybe another example of thinking too much, as I was worried about someone breaking in and stealing my computer. The Nano probably does make sense absent that scenario - as long as I confirm that my PWM isn't left logged in when I leave my home computer.

 

[Beendare]

FWIW, my son is a computer security expert for a large company.

He recommended I use 1password. My ace IT guy in my one business says Apples security is good. Key is no passwords in Notes.

With 1pass you just have one password to remember and it stores the rest…and he likes using a long saying or song riff you can easily remember;

Daddysdontletyoursonsgrowuptobecowboys27

Turns out a password like that is uncrackable.

That ones mine…so don’t use it….grin

 

[fwafwow]

FWIW, my son is a computer security expert for a large company.

He recommended I use 1password. My ace IT guy in my one business says Apples security is good. Key is no passwords in Notes.

With 1pass you just have one password to remember and it stores the rest…and he likes using a long saying or song riff you can easily remember;

Daddysdontletyoursonsgrowuptobecowboys27

Turns out a password like that is uncrackable.

That ones mine…so don’t use it….grin

If you have an iPhone, this is worth a read:

A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life

The passcode that unlocks your phone can give thieves access to your money and data. “It’s like a treasure box.”

www.wsj.com

 

[wingmaster]

Thanks so much for the dialogue. It helps to bounce some of my ignorant questions off of someone with knowledge, and patience. I did order 3 of the YubiKeys today, and 3 not only satisfies my paranoia about a backup to a backup, but I have iPhone 11 (needs Ligthtning), 2017 MacBook (USB-A) and 2020 MacBook (USB-C) - smh.

I had seen that but was confused that the NordPass app isn't listed in the YubiKey database, and some older posts online suggested that because the YubiKey didn't have a battery, you had to also use your phone. Maybe those are now out of date.

That's what I was thinking - login once and you are good to go. But if so, then if I've checked email and then lose or have my phone stolen, what good is the key? I will see if there is a way to setup Gmail (as an example) to automatically logout if the phone is put to sleep.

Maybe another example of thinking too much, as I was worried about someone breaking in and stealing my computer. The Nano probably does make sense absent that scenario - as long as I confirm that my PWM isn't left logged in when I leave my home computer.

No problem, I'm always looking for ways to improve my security setup. I personally have a Yubikey 5 Nano in my computer, a Yubikey 5C on my keychain, a Yubikey 5 NFC on my wife's keychain, and an old key stored off-site. A normal person probably is fine with 2, but experimenting with privacy and security is a hobby.

I think the confusion about NordPass compatibility is the difference between Time-Based One-Time Password (TOTP) and U2F. TOTP is where you generate a code based on two pieces of information: a time, and a secret. Yubikeys can store the key, but they have no way of telling the time without being synced to a device. TOTP is pretty common, and it looks like NordPass supported it and probably still does. But since they now support U2F, that is the more convenient and superior option for people with a security key. It might be the case where U2F is supported on their website but not on their mobile app, but in either case the Yubikey supports both.

Your thoughts on the mobile device staying logged in is a good one, and I think the ideal situation is to have the account log out after a certain period of time. That's what my PWM does, and extending that timeout to every app is smart. Thanks for the idea.

If you want to experiment with advanced capabilities, there are two slots on the Yubikey that you can store extra functionality. I assigned one slot a static password where it outputs a 40-character sequence, you can be creative on how you use it. I put the Challenge-Response on the second slot, which I needed to be compatible with my PWM.

Oh and my wife has no clue how any of this stuff works, so I typed out instructions and left it where she can find it in case I meet a grizzly in the backcountry

 

[fwafwow]

Update on my YubiKey saga:

• It's shocking how few financial firms permit the use of the YubiKey
• Of the companies that allow a physical key, some still require the SMS or app authenticators - which are at risk
• There are some issues with my current password manager (NordPass)
  • You can only register one key - no backups permitted. If you lose that key, you contact them to reset the MFA feature (!)
  • The MFA function is not at the password manager level, but is instead at the Nord Account level. This arguably gives more protection in that a hacker has to get into the Nord Account (with the MFA option), then into the PWM. BUT, my point to them was that when I log out of the PWM, there is no ask to authenticate as long as that device had previously logged into the general account.
• I'm looking to "sand box" some of my more sensitive accounts and use only a offline password manager - ideally one that also has YubiKey security

I definitely have issues -