Yubikey - Hardware Multi-Factor Authentication

Yubikey Hardware Multi-Factor Authentication Link to heading

Multi-factor authentication is the process of using “two of more” factors as an authentication method. This means choosing more than one from the following list:

• Something you know (Password or passphrase)
• Something you have (One time password, hardware token/key)
• Something you are (Biometrics - fingerprint, facial recognition)

How many crticial websites do you currently authenticate with a username/password and then wait to receive a SMS text message one-time use code for authentication? If you’re like me, that process represents a large percentage of the websites I visit. Unfortunately, SMS as a factor of authentication is on its way out. Although this has been a fairly conveient and secure method of authentication for a long time, vulnerabilities in the way SMS is handled means you should be looking to transition to a more secure authentication method.

SMS is an unencrypted, insecure method of communication without sender verification that is vulnerable to many different attacks. Check our this 2022 Blackhat presentation Smishsmash to learn more about the specifics. Additionally, here are a few more articles which discuss the flaws in SMS as a 2FA method, showcasing the years-long effort to get people and organizations to stop using SMS for 2FA:

• 2017 Vice Article on SS7 Attacks
• 2016 Article on Port Out Fraud
• 2021 Krebs Article Advocating to Stop using SMS
• 2022 CrowdStrike Report on telecommunications intrusion & SIM Swapping

The lists goes on and on. Earlier this year, Twitter decided to depreciate SMS 2FA as a valid authentication option, and received criticism due to the perception that many users would simply revert to single factor (password-only) authentication. I think this is a true statement, but more likely due to the fact that many people are simply unaware of the secure alternatives to SMS 2FA. One such method is Time-Based One Time Passwords (TOTP), which can be setup using Google Authenticator or my preferred alternative: Aegis Authenticator. Aegis allows better encryption of your data as well as the excellent ability to inport/export codes for backup pursposes. For situations where TOTP/Authenticator App is an option, you should always choose this! But there is another method which is only slightly more complicated, but provides unmatched security.

Earlier this year I found out about the Yubikey, which replaces the “something you have category” previously filled by SMS one-time passwords (insecure and should not be used) and authenticator apps (secure, great option).

Yubico’s Yubikey 5 series hardware token easily adds a second form of authentication to websites, applications, and even SSH. I purchased both the Yubikey 5C NFC and Yubikey 5C Nano to provide redundant keys for all of my logins. Yubico has a great catalog of all of the websites that accept Yubikey, but some of the more popular ones that I am using are:

• Google
• Cloudflare
• Coinbase
• Facebook
• Bitwarden
• Proton Mail
• Tutanota
• Reddit
• Ebay
• Github

I have one key at my house and one one my car keys (so essentially, it is always with me). In the future I would like to add a third key stored in a secure lockbox to truly eliminate the possibility of data loss. However, I feel confident that my current setup is a good balance of convenience and security.

SSH Keys with Yubikey Link to heading

Yubico includes instructions on multiple ways to generate SSH keys using your Yubikey. I chose to use the local system instructions, which generate a local SSH key using the Yubikey, which can then manually be copied to remote servers for authentication. Assuming you have a Yubikey with firmware >5.2.3, simply generate a new SSH key as follows:

ssh-keygen -t ed25519-sk -f ~/.ssh/ed25519-sk_yubikey_5cnfc

After this, you will be prompted to touch the Yubikey to generate the key and add an (optional, but recommended) passphrase. Now you will have a public/private key pair. To copy the public key to a remote server, use the folloing:

ssh-copy-id -i ~/.ssh/id_ed25519-sk_yubikey_5cnfc.pub remote-user@host_ip

Now when you attempt to login to that host, you can simply touch your Yubikey (and possibly enter a passphrase if configured). It is that simple! Remember, if this is your only remote access method (and it is highly recommended to disable password login), ensure that you generate and copy a second Yubikey to the remote server for redundancy. The Yubikey is an excellent form of security, but does leave you completely out of luck if you rely on a single Yubikey and lose/break the key.