28 December 2020

You should have a hardware security key

I've been carrying this USB device with my keys for the last couple of months and you should be doing the same.

The security key on the photo is YubiKey 5 NFC and it makes my online accounts more secure by providing an additional login factor on top of a password.

As a side note, Orbitkey key organizer on the photo above is awesome too!

Multi-factor authentication

Many websites encourage you to use multi-factor authentication, however most of the available options are cumbersome to use. First you wait for the SMS code to arrive and if it doesn't arrive, you have to retry. Then you retype the code from your phone into the computer. Assuming you typed in everything correctly, you are logged in!

All the hassle aside, the SMS protocol is not very secure, so the effort doesn't even add that much value. A YubiKey is more secure and only needs a touch to be activated. Since I bought my YubiKey(s), I don't use SMS codes or similar complicated factors. It's both more secure and easy to use—a double win!

Google, Facebook or GitHub allow adding as many security keys as you want. It's important to have more keys, as your key can get lost or stolen. Actually, it's good to treat your hardware security keys as normal keys.

  • Have at least two, in case you lose one. Optionally, leave a spare key with a friend or in a safe storage.
  • If you lose your key, disable it on all accounts as soon as you can. (There's a difference from door keys where you need to change the door lock, here you just disable one key.)
  • Carry one with your normal keys, in case you need to login on the road. Also, my most frequently used YubiKey is permanently inserted in a USB port of my laptop.
One important difference is that it's okay to take a picture of your YubiKey and post it online while you shouldn't do it with your door keys.

I get it, but why should I care?

If you type in your e-mail into Have I Been Pwned?, you'll see all (known) data breaches that included your online accounts. This doesn't mean that hackers got access to your password but it's best to change it anyway. Depending on the strength of your password and security measures of the online service, it can take them from minutes to weeks of effort to reconstruct your password.

Another popular attack is phishing, where you end up on a wrong web address which looks identical to your bank or e-mail. The fake website is run by hackers, so once you type in your password they have it without any extra effort required.

In both data breach and phishing attacks someone else might know your password. Multi-factor authentication with a hardware security key protects your account, as your hardware security key is safely with you and a password on its own is not enough to login.

Which one should i buy?

An alternative to the black YubiKey shown above costing 45 euros plus taxes is the cheaper FIDO2-only blue YubiCo security key NFC costing 25 euros plus taxes. It should be sufficient for most people, thanks to the modern FIDO2 standard enjoying more support each day. 

The producer of all mentioned keys is YubiCo, the industry leader. Other companies make their own FIDO2 security keys but they aren't that much cheaper, so I'd just go with the industry leader. See also an article in New York Times for a more detailed comparison.

Android 7+ phone can act as a FIDO2 key but right now this functionality seems to work only for Google accounts. If it starts working for other accounts, you'll need one fewer key if you have an Android phone.

Password manager

People tend to use the same password for many online accounts at once, so a data breach or phishing attack on a single website allows hackers to access accounts of other online services. It's recommended to use a password manager which generates a special password for each account and stores it safely. You only need to remember one master password for the manager. For a longer overview of password managers, see the excellent article in NY Times.

A security key can provide extra security for your password manager. Unfortunately I only know of two alternatives. One free and complicated, the other paid and easy-to-use.

  • 1PasswordBitwarden a Dashlane support the FIDO2 standard but only in paid versions. Their family plans for 5 people are affordable though and offer a lot of handy features.

  • Using the PGP functionality (for PGP see the end of the post) of YubiKey, you can use the simple Unix utility pass, storing passwords in git and encrypting them via PGP. There are apps for Android and Windows, as well as browser extensions.

Note: if you are a casual internet user, you can stop reading now. The rest of the post is for advanced users who use SSH or PGP.

FIDO2 SSH key, stored on the device

This section requires OpenSSH 8.2 or newer.

Key generation

First set a PIN to protect the SSH key from being used if stolen. Despite N standing for number in PIN, your PIN can be a password with characters. Actually, you can set a simple PIN but use a strong SSH key password instead. It's your choice.

You can set the PIN using the command-line yubikey manager or the GUI version. Note that you only need to set the PIN once.

ykman fido set-pin

Then generate the key.

ssh-keygen -t ed25519-sk -O resident -f ~/.ssh/id_ed25519_sk

The key is stored on the device (that's the -O resident part) and also in ~/.ssh/id_ed25519_sk. The local storage in ~/.ssh is not necessary if you follow the next section and load the key using ssh-add -K.

Using the SSH key on another computer

Once at another computer, you need ssh-agent running.

eval "$(ssh-agent -s)"

You can also start ssh-agent every time you login. Here are some common setups.

Once ssh-agent is running, you can load the key. You will be asked for the PIN that you set earlier.

ssh-add -K

PGP key stored on YubiKey

For PGP, follow the excellent guide by drduh.

Tip: Disable OTP

By default, YubiKey prints out about 40 characters every time you accidentally touch it, which can get annoying. You can disable the OTP application which does that, as you probably won't need it. You can disable it in the desktop YubiKey manager or on the command line.

ykman config usb --disable OTP