Personal Security Posture++

    

By: Jason Alvarez,
Follow me on twitter @0xbanana


Adventures in owning a Yubikey - Day 1

What is that thing?

What’s pictured in the box is a YubiKey Hardware Security Token. When plugged into your computer it will generate security tokens which can be used instead of something you may already be using like Google Authenticator, or Authy.

I wanted to take my security to the next level of maturity. Multi-Factor Account seeds stored on your phone or computer can potentially be compromised. Screens can be scraped, and shoulders can be surfed, and backed up seeds can be stolen. Authy syncs seeds across platforms, so they have to be stored…. somewhere.

So, rather than deal with having to reach for my phone every time I need to get an auth code to login, I touch a button, that’s nice.

What I got

When I got the key in the mail, I was impressed with the packaging; very small, not a lot of extra nonsense, no inserts, all the text was on the back of the cardboard packaging.

The model I’m using doesn’t have a physical button but two contacts, one on each side, feels like it adds an additional layer of button pressing security, something that takes a bit more work to automate; maybe just security theatre.

The setup

The setup was easier than I anticipated! It was extremely easy to add a key as an additional authentication mechanism for my accounts. Every website is different, but you’ll want to look under the Multi-factor or Two-Factor Security Authentication Settings. You’ll want to enable/add a “Security Key”. Once enabled you’ll begin to enroll your key, plug it in or connect via BT or NFC and it will take one or two taps to complete the enrollment. That’s it! You’ve taken a big leap in your account security. Now go do this for all your other accounts.

A wise man once told me if you have two yubikeys you have one, and if you have one, you have none. If you’re planning on getting one, get two and add both keys to all account. In the event of a key being lost or stolen you risk getting locked out of your accounts if you’re only using one.

Google offers a security key 2-pack which I recommend.

Our security key is now set as one of our 2FA options, it’s recommended you disable any software tokens you have associated with the account. As we’ve increased our security posture by using the security key, we have to remove any other potential ways for an attacker to gain access. If you are comfortable with the security needs and risks associated with only using a Security Key, it is recommended you disable all other 2FA options and the only second factor auth would be your Security Keys.

What about from mobile?

The YubiKey 5Ci Security Key has the added benefit of being able to connect to my iPhone via the lightening connector, others can connect via Bluetooth or NFC, and using it on mobile is just as simple as it is on desktop. Connect and click when prompted.

It really is that easy.

That’s it!

The next post on the topic will cover using your Security Keys as your multi-factor device to secure SSH and other remote services.


Enjoyed the post? Let me know! 💛🦄🔖

Subscribe to the cloud.weekly newsletter!

I write a weekly-ish newsletter on cloud, devops, and privacy called cloud.weekly!
It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.