A permanently attached Yubikey is not worse than a password alone, and is still superior to SMS 2FA. It still requires that an attacker know both your password and have physical possession of your machine. For the vast majority of users, this is sufficient protection from the threats that they face. The chance that someone both knows your password and is close enough to steal your yubikey is incredibly unlikely.
If you’re the kind of person liable to get personally targeted for nation state level attacks, then you definitely are going to want to unplug your yubikey and keep it on your person. For the rest of us, a hardware 2FA token is enough to protect against a sim swap attack, which is probably enough.
Yeah I have this setup for quite a few years by now, and occasionally I question whether this practice makes sense.
What does make it incredibly dangerous is that it also applies for eg “sudo”: if you don’t have any additional protection, it effectively means that any exploit in any app can be immediately extended to a local privilege escalation, as there is no additional protection in place.
> If you’re the kind of person liable to get personally targeted for nation state level attacks, then you definitely are going to want to unplug your yubikey and keep it on your person.
Maybe yes, maybe no. Do you have a backup YubiKey? If so, then you need to keep it in a separate location (i.e. don't defend against losing your keys by putting both your primary and your backup on the same physical keychain). Are you putting it in a safe? What safe can you buy that is sufficient protection against nation-state level attacks? How often do you check your safe to make sure that your backup hasn't been stolen? What process do you have in place to revoke and replace your backup YubiKey in case you do discover that the backup has been stolen (do you have a list of every website at which you ever enrolled the backup, and how do you safeguard the list)?
IMO unless you are very seriously paranoid, you buy a "nano" in-slot YubiKey if your usage pattern targets a single machine, and a keychain YubiKey (with NFC) if you need portability between, say, your work laptop, your home desktop, and your phone. It's not a question of security but of your usage pattern.
> Yubikeys are great for security, but not when you leave them in your computer unattended. At that point, anyone can take the key and use it for 2-factor authentication/SSH/GPG signing, so it’s not much better than just using a normal password.
Even after the edit at the top regarding PIN it still seems to not get the main point of a U2F token: It's physical. It's incredibly hard to extract secrets from it. It's local to where it physically is.
If I have a password then there are probably a couple of services and people that could reasonably get to it either by hacking the service the password unlocks (in storage if its a really insecure service or in transit the next time I log on), or can extract it from my password manager/memory/browser or whatever.
The point of a U2F token for me is to change the number of people who can reasonably authenticate as me from "everyone who has my password" to "everyone who have a physical key I keep within a reasonable distance from me that is incredibly hard to copy and has my password". U2F also validates auth origins quite a lot better than many other methods, although I guess that is not relevant to this argument.
A hardware U2F token is not the end-all be-all security, but it reduces potential attackers a lot.
In this context it's probably better to think about them as FIDO/ CTAP tokens rather than as U2F (which is obsoleted by WebAuthn and focused on the Web) or, as the author does, just narrow it explicitly to Yubikeys and not the wider menagerie of similar products. Yubico's own Security Key implements FIDO2 (and so could also be used for U2F) but won't work for the author's approach.
Anyway, the main thing I wanted to mention is that the use of public key encryption means this is quite different from the device having "my password". Even in the on-device ("resident credential") scenarios the authenticator doesn't have a password which is a shared secret, it actually has a private key which it won't divulge - much better.
Implementation errors by a web site can leak your password, which because it's a shared secret can then be used by adversaries to log in. It's impossible to be sure a site didn't get this wrong, even if you're confident they are competent and well meaning.
In contrast the WebAuthn (and U2F) design doesn't give sites enough information to impersonate you even if they wanted to, only to authenticate you. This is a familiar pattern from public key cryptography, receiving the certificate for news.ycombinator.com allows me to verify this is news.ycombinator.com but not impersonate them. Likewise, when you enroll a FIDO authenticator to use Facebook, Facebook doesn't learn how to impersonate you, even on Facebook, only a way to verify that you still have that authenticator. [And the design is even more careful, it uses completely independent credentials for each site, so when Microsoft bought GitHub they actually could not merge the FIDO-based authentication between GitHub and Microsoft properties, even if they thought that was a good idea it's deliberately impossible. ]
On re-examination of what you wrote I think I misinterpreted this sentence:
"everyone who have a physical key I keep within a reasonable distance from me that is incredibly hard to copy and has my password"
I took (hard to copy and has my password) to be properties you were giving the physical key, but in fact I see the correct interpretation was that "and has my password" is an adjunct to the properties of this hypothetical attacker who now needs to steal the key.
Yeah, I meant "(has the key) and (has my password)", not "has my key which has my password". The reply makes a lot more sense now, thanks for the clarification! I'll try to be more unambiguous.
Honestly the threat of someone cloning the key is so minor that a USB stick is probably enough. If someone goes through the effort to make fake a USB stick with the right hardware ids then I've got way bigger problems.
If you are talking about a U2F usb stick I agree with you (I put "incredibly hard" instead of "impossible" there so that I don't get counterarguments with people reading memory with electron microscopes or similar).
If you are talking plain USB mass storage for keys I disagree.
For most of us, the inability for the key to be duplicated remotely is the primary design criteria, as most of us need to defend against low to moderate remote attacks (which is exactly SMS 2FA is bad). You have to be an incredibly high value target before "my opponents are willing to send people to try and steal my 2FA token from my person and clone it" is a probable risk. At that point you better be using all kinds of special equipment and techniques, as a Yubikey alone probably isn't enough.
That being said, it's incredibly unlikely that someone would ever sell mass storage based USB credentials because:
1. Security products are marketed based on surviving the worst case scenarios. Nobody would buy a U2F token that is "good enough for the threats you probably face".
2. By the time you've hardened any USB device from remote cloning, you're probably already done most of the work to harden it against local cloning. Might as well complete the last bits necessary in order to get the marketing benefits from point 1.
USB mass storage based authentication also does not protect against malware stealing the keys. A YubiKey (or similar token) performs all of the cryptographic operations in a separate environment that malware cannot access.
(it's kind of funny how you can make a seemingly airtight argument about something common-sense and non-controversial and have some weird imposs.. improbable corner case unravel everything)
Seems like a bad idea. Requiring a touch means it's much harder to trigger the key through software alone -- or maybe impossible. So someone has to actually be present at the machine. This is particularly important when, for whatever reason, the machine you can actually put your hands on is actually a gateway to other machines. You can ssh tunnel all you want, but somebody still has to physically touch the key for it to authenticate. Naturally, that only works if you authenticate at each level, and if you do not trust other levels.
The way we use them at Google, the keys are associated to particular machines and human accounts. You can't just remove a key from one machine and stick it into something else. It is the combination of the machine and the key that is enabled. A key can be deregistered/wiped, and assigned to a different machine...but you need to be properly logged in to make that happen. In the context of a corporation that is relatively straightforward, but perhaps for personal use it is less so. Actually, without the right infrastructure in place, it's quite likely to be a lot more complicated.
Some time there was a similar tool that locked the computer via bluetooth if you walked away from the desk with your phone. It didn't unlock it which is fine, but it seems a better way to lock a computer if you forget rather than a timed screensaver after x minutes which leaves the computer vulnerable until then. (Mostly just from colleagues changing your wallpaper, or autocorrect...)
There used to be a Mac app called "Bluephone Elite", IIRC, that could do this for a very specific group of phones. It worked with my Sony Ericcson thing BITD.
You need a pin for GPG. Note that, that would protect only the gpg keys.
Don’t forget to set a password also for the YubiKey Authenticator app. Otherwise I believe anyone who has your key would see the websites with which you have Fido U2F and use it.
> Don’t forget to set a password also for the YubiKey Authenticator app. Otherwise I believe anyone who has your key would see the websites with which you have Fido U2F and use it.
From what I can see YubiKey Authenticator is a TOTP authenticator. So that's completely orthogonal to U2F (and less safe, although more familiar to users who have things like Google Authenticator)
With U2F non-resident credentials don't leave any trace. If somebody has stolen a working authenticator they'd need to guess sites at which its non-resident credentials would be valid and then try it.
I think the concept is really cool and it’s awesome that Linux makes it relatively easy to play around with authentication methods. I love this kind of stuff.
But I’m also a pragmatist. While I run Linux everywhere I reasonably can, my daily driver is macOS and I can’t help but wonder if a fingerprint reader would be a better solution.
On my Mac, the fingerprint reader can unlock the system immediately and works across the operating system for root access, including sudo. (There’s a pam module.)
Locking can be done OS-wide using a keystroke (Cmd+Crtl+Q), touchbar button,
or by closing the lid.
Windows has had similar capabilities far longer than macOS.
The major one is deep integration of applications with the OS. One example is any keyboard shortcut in any application can be remapped at the OS level. Dictation and services available almost everywhere text can be entered. Any text in almost any dialogue is selectable. Application dialogs like open and print are standardized. The print dialog is incrediably rich with functionality, in every application. This extends to integration with iOS devices and system hardware.
The stock OS is ready out of the box with a full suite of integrated applications. While there are better versions of all of them, most are high quality. Though, I haven’t found a PDF reader better than Preview and Apple Notes is very hard to beat as a general note taking tool.
The base OS has color syncing. I was able to hook up a professional grade printer, have the OS automatically install the drivers, and produce color accurate prints using Preview. The system print dialog allowed me to fully configure the printer. No specialized tools required. There’s even an iOS app that can do the same thing in a more limited fashion.
Never had a driver issue or had to modify a configuration file to get hardware to work properly. (Have done GUI tweaks via defaults.)
When it comes to specialized applications, there are a lot of excellent applications written specifically for macOS. Some come with iOS apps. (1Password is high on my list.)
Due to the industries I work in, Microsoft Office is a hard requirement. Libre Office is not an option.
Time machine has no equal when it comes to backups and restoring to new hardware. I haven’t done a clean install since 2008. In two hours I can completely clone my current machine.
This is just a few of the many reasons I use macOS. Frankly, they are more important to me than openness of platform or deep control of my devices.
That does not mean I don’t appreciate Linux. I love Linux. There is nothing better for servers than Linux. I have older laptops loaded with Linux but they are a hobby for me.
Linux fills a very important place in the world. Frankly,
the world needs open operating system and people who enjoy using it. But I have neither the time, expertise, or inclination to do so on my primary machine.
Don't worry in not one of the zealots that'll try and convince you that Linux has a suitable replacement for something then recommend some this that does t match up (see you MS Office vs. Libre Office for example). Just genuinely interested to know where Linux is lacking for some people (and thus something I might be missing). While I'm definitely an open source advocate I too am a pragmatist and will happily use closed source software and gasp pay for software when the open source alternatives are lacking.
Personally none of you use cases have even crossed my mind, I can count the number of things I've printed in the last decade on 10 years. I can definitely see the benefit of having tight coupling between accessories/phone apps though.
I'm trying to move my daily driver from macOS to Linux.
(Why? Privacy, more control over how technology interacts with me, and because at a really deep level, I know this is the expression of my authentic self. I don't like to 'blindly accept' things from others without questioning it, and I like to create. I also love to learn. All this is balanced with the desire to just sit back and enjoy a smooth experience like anyone else, half the time.)
I'm slowly researching and trying out open-source alternatives to my daily must-have apps like Notes.app, which is a great example of, so far, why this is so challenging. But I'm trying to adjust and see what can be good enough. (Web apps is not an acceptable solution, due to basic privacy expectations.)
It's reasonable to expect I have to adjust my methods somewhat, but I do need such alternative workflows to be as feature-filled and performant as what I currently use.
Like most, work requirements like Office (and Acrobat) are my greatest challenge. Perhaps macOS on KVM for near-native performance with Office + Adobe for Mac in it will be good enough?
Personally I use NextCLoud for things like Notes[1], while it is a web app it is self hosted. Obviously this means you then need to run NextCloud yourself which is an entirely different problem.
Thanks everyone for the feedback on Yubikeys being stolen! I've tried to summarize it all in a footnote, and downgraded the severity of my original starting paragraph. Thanks for reading!
Yeah besides contactless being an option as the other poster said (I use this too sometimes, especially on my phone), at work I use a cheap USB hub for this. When a port dies or becomes unreliable, I tape it off and use the next one. It can be really cheap as USB 2.0 is more than fast enough for a yubikey.
I'm at 2 out of 4 ports dead now after 1,5 years on a $10 hub so it's not bad :) In addition, it's an iMac and the ports at the back are a nightmare to use. I taped the hub to the 'foot' of the iMac so it's much easier to use.
I’ve been using yubikeys for at least the last 2-3 years for all ssh/gpg operations and I have my key on my actual keychain so there’s extra weight on it and sometimes the key sits at a bit of an angle. Still, I have yet to break a single USB port on my ThinkPad. I’m a bit worried about USB-C though.
I had the same concerns. Luckily, Yubikey also sells keys with NFC support. I now have a cheap NFC reader on my desk, and everything is now contactless.
I'm genuinely curious, are broken USB ports a common thing? I've been using a Yubikey with my MBP, and many years ago used thumb drives all the time with my computers. I've never had a port or device break in any way (either a failure due to wear, or a literal break). Admittedly, I use USB ports much less frequently these days (as in, I plug things in and leave them in for weeks or months at a time, I don't swap USB devices like I used to).
As long as removing the key starts your screen locker and inserting kills it you'll fallback to typing your password. Though that could be hard if all you usb ports have suddenly all died at the same time.
BTW, here is a handy way to quickly generate GPG keys (and set up git commit signing and SSH key derivation) on Yubikey: https://github.com/DataDog/yubikey
If you only want to do SSH, that way is a huge hassle, way too much to do on machines you don't own/are using casually. If you can use newer SSH versions, they support FIDO2 natively:
I stopped reading at the first paragraph: "At that point, anyone can take the key and use it for 2-factor authentication/SSH/GPG signing, so it’s not much better than just using a normal password.".
If the author hasn't figured out you can assign a PIN to the keys you store on the Yubi, then I don't see why I should waste my time reading their rambling blog post.
Good luck taking my Yubikey and trying to SSH to my kit. Won't do you much good without the PIN that is in my head. ;)
P.S. You can also configure the Yubi to lock and mandate a PUK after too many wrong PINs.
> If the author hasn't figured out you can assign a PIN to the keys you store on the Yubi, then I don't see why I should waste my time reading their rambling blog post.
Try being a little nicer. If you feel that the blog post is a waste of your time, here's a revolutionary idea – don't say anything? There are 29 other posts on the front page, maybe one of those other ones will be worth your time.
As it is, the UX of the poster's solution is totally different from yours; it enables a one-time, contactless authentication during login. Yours requires a ton of manual input every time the Yubikey is used for SSH. There is some different in the security models here, but the author's solution is broadly different from yours, and to me, much more convenient (I use a Yubikey with a PIN for work and it's kind of a pain).
I’m someone that often reads the comments before reading the article, so it’s helpful to know what people think is blog spam and what is actually worth reading.
I'm making the claim that the OP's comment is both derogatory ("rambling", "waste of my time") and not relevant to the solution described in the article. Therefore, if anything, the comment is more deserving of being labeled spam than the article itself.
Seconded. I think one of Hackernews’ biggest value-adds versus say Oreilly is the eagerness with which the commenters on this site will rip apart bad ideas/articles.
The point is the author of the blog is spreading FUD by saying "you can't leave your Yubikey unattended because anybody can take it and use it to SSH without your consent".
That is a falsehood and deserves to be called out.
I don't mind "revolutionary ideas", but don't use your platform to spread FUD.
It's great to correct falsehoods, but please do so without "calling out". The online callout/shaming culture has toxic effects and we're on a different trip here, or trying to be.
Author of the post here - you have a good point with regard to SSH/GPG. (I do have a PIN on my keys.) I was targeting more the U2F standpoint - as in if you're using it for 2FA, it's obviously no better than a password if someone else can just press the little yellow button :)
it's obviously no better than a password if someone else can just press the little yellow button :)
If you're using it as a second factor via U2F, the point isn't to be better than a password or to replace a password. The point is to be different. Specifically, the point is to be proof of physical possession. If they steal it, then you still have a memorized password as an authentication barrier.
The problem you raise in your blog post is a good one. People do tend to forget their security keys in their computers. However, making the security key the only required factor seems counterproductive. As an alternative, how about a background daemon that enumerates attached U2F/FIDO devices and reminds you to remove anything that's left in for more than a couple minutes?
Most places where I use the FIDO feature of Yubi (e.g. Github), you still need to provide username and password. So an abandoned Yubi is still of limited use assuming your password is stored securely.
Hey author, why did you use the words "touchless" and "contactless" when it's not true and not even relevant to the technology being used?
There's something strange going on here, like this article was written by AI or something. It's using words out of context, or just making plainly/obviously false statements.
If you’re the kind of person liable to get personally targeted for nation state level attacks, then you definitely are going to want to unplug your yubikey and keep it on your person. For the rest of us, a hardware 2FA token is enough to protect against a sim swap attack, which is probably enough.