Robin Laurén

Learning in Public

Getting Started With Yubikeys

I bought a set of Yubikeys to figure out what the fuss was all about. Getting started was surprisingly painless and i now have a new authentication factor for Google, Github and Lastpass.

I’ve been using 2FA for a bunch of services for quite some time now. My most used second factor for authentication is the Google Authenticator app, which runs on a mobile device that is not my phone. Hence, it actually is a second factor when it comes to authenticating stuff on my phone.

For Google, i clicked “Add security key” on my Google Account’s Two Step Verification page. I then inserted the yubikey 4c nano, ignored the keyboard identification dialog box and tapped the key with my finger. A little later, i gave the key a friendly name, and the key was registered.

The procedure is very similar with with Lastpass and Github, so i won’t repeat it here. The only difference is that i didn’t unplug and re-plug the yubikey.

There are still a few things that bother me.

I’m not the most orderly and organised person. This means i will probably find myself where my authentication key is not. I’ll lose it, forget it at home, or whatever. How can i then log in? All these services i’ve used with 2FA so far still list Google Authenticator as a second factor, so i suppose adding a new key didn’t remove the old one. And Youbico recommends installing at least one more backup key, which i will, and which is something i’ll touch a few lines down in another context.

The Yubikey easily only protects applications i use, not the computers themselves. To protect my computer login, or the operating system, i’ll need to install a new PAM module. That’s a tad scary even for a geek like me (what if i lock myself out?) but for most folks, that is nowhere near anything realistic. I’m waiting for the day macOS will support 2FA keys out of the box, but i’m not holding my breath.

Logging in to stuff like switches and firewalls would be really nifty too. Not really expecting it to happen any time soon though.

Then a practical issue. The key that i installed is a Yubikey nano, which is meant to live in the USB port. That means my authentication factor is just as safe as my computer. If the computer is stolen, so is my key. Doesn’t seem like added security to me, though in all honesty, it’s pretty convenient. But if i remove the nano-key from my computer, i’m pretty sure to lose it fairly quickly.

I have exactly one computer i use with a USB C port. This means i need to register another key for the computers i use that have only legacy USB A connectors. Another reason to create more yubikeys.

Furthermore, i have a phone, and while it does have a USB C port, i won’t be walking around with a yubikey nano plugged into it. For that, there’s an NFC compatible Yubikey. It’s kind of a pity that none of my computers support NFC.

So all in all, to have some sort of hardware based 2FA security, i’ll need a “daily” USB A key with NFC, another “daily” USB C key, and one backup key which can be USB A and can be used with an adapter dongle. And that’s the minimum. I’m not yet convinced what the proper mode of operation is with these keys, should i leave a key plugged in to the computer i use, which means i know i’ll have it with me but also know both will get misplaced at the same time, or should i walk with a authenticator key in my keychain, which really isn’t all too convenient to plugg into my computer each time i need to authenticate with a second factor. That said, i don’t yet know how often i will need to 2FA. Every 30 days? On each git push?

There are a lot more applications that i can protect with my yubikeys, but i’ll need to kick the tires with what i’ve installed so far. I’ll write a follow-up if things go really sour :)