On our way to make our accounts as secure as we possibly can, I will explain all the possibilities a Hardware token (Yubikey) can offer.
It can go from encrypting your e-mails to encrypting a USB Key content or unlocking your computer.
I know it is a long post, but I tried to make it as enjoyable and understandable to read as I can. So you can use that new device you just bought to its fullest.
If you read my last post about MFA and you made this leap of buying a hardware token, Yubico embedded a lot of features into their devices so why not try to use all of them?
I am streaming every Thursday at 9:00pm (UTC+2) on my Twitch channel about Security topics. 🖥️
Feel free to come and say hello 🙋🏼♂️, if Multi-factor Authenticator is of any interest to you or if reading that article brought some questions and you desperately need answers. 🤔
I'll be more than happy to answer.
After a massive password breach on Yahoo!, I decided to reconsider my security on the Internet. Starting with my passwords.
I made some research, considered using a Password Manager and moved to KeepassXC.
After some research, I get to the point that a password, even a long enough chaotic password handled by a password manager, is not enough to really guarantee the security of my accounts.
That's why I decided to use MFA and bought a Yubikey.
At the beginning, I used the very basics capabilities of the Yubikey which is just a simple U2F token.
It is just the key to unlock the access to my account along with the password. Just a padlock that requires a pin code ("something you know") and a key ("something you own") to get unlocked.
But a Yubikey can offer a lot more that that.
In this article, I'll try to present all the possibilities that a Yubikey can offer to better secure a lot of your assets, to use your brand new Yubikey to its fullest.
It is the most basic use and the most simple one to use.
You are using the basic capabilities of your Yubikey to connect to websites.
This website presents an exhaustive list of services that supports Multi-factor Authentication and the method supported, either hardware or software only or both and their limitations.
I used it a lot at the beginning to check if the websites I was using supports MFA. You can even ask them to support MFA through a tweet or a Facebook message with a click of a button.
Have a look at this website and check if the websites you are using allows Multi-factor Authentication.
Starting with Windows 10, Microsoft offers the possibility to unlock your computer with a lot a different methods, from a simple Pin code to your face and offers an API for third party to implement an unlock your machine mecanism.
Yubico took advantage of it and published an application to unlock your Windows 10 computer using a pre-register Yubikey.
You can download the application here from the Windows Store.
As you can see, you can register more than one Yubikey to unlock your computer. Which is a very good practice as I described in my generic article about Multi-factor Authentication.
There is also a page on the Yubico website that regroups all the tools you can use to register to basically any Windows accounts wether it is Local accounts, Azure AD accounts, Classic AD accounts. And even on Mac machines.
If you want to add a new possibility to unlock your Windows Machine, you can use your Yubikey. You just have to download the Windows Hello Yubikey application on the Microsoft Store and then set up your Yubikey as a Windows Hello method.
Mac OS Sierra allows the use of smartcards to connect to your machine.
To use this feature, your Yubikey must have a certificate in it so that it can work as a smartcard. The Yubico PIV Manager will help you set up a Certificate in your Yubikey in a few steps.
You just install the application and then plug your Yubikey in and it will set it up.
You have to set up a Pin code from 6 to 8 characters. So you can replace a very complicated password (your Mac's session password) to a much more simple code but you will need something with you.
As soon as the Yubikey is set up, your Mac will ask you if you want to associate this Yubikey with your account.
Now, you can login to your Mac using your Yubikey. It is pretty straightforward.
On the new MacBook Pro, I think that TouchId is bettter than that but on all the "older" Mac, it is a really powerful method.
Dashlane or LastPass allows the use of a Security Key.
Yubikeys are perfectly integrated with Lastpass.
Here is a video that describes it :
Similarly, Dashlane supports Yubikeys.
Here is a video that describes it :
And Dashlane explains it on its website.
A Yubikey can store a private key, so you can use this key within your Yubikey to encrypt your e-mails or do anything that you can do with a PGP Key. And there are a lot of possibilities.
PGP stands for "Pretty Good Privacy" and according to Wikipedia :
Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication.
PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.
As PGP supports message authentication and integrity checking, you can use it to sign your Git commits.
To do that, you just have to create you Private/Public key pair, store the private key in the PGP Signature slot of the YubiKey.
gpg --edit-key 13AFCE85 gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 2048R/13AFCE85 created: 2014-03-07 expires: 2014-06-15 usage: SC trust: ultimate validity: ultimate sub 2048R/D7421CDF created: 2014-03-07 expires: 2014-06-15 usage: E sub 2048R/B4000C55 created: 2014-03-07 expires: 2014-06-15 usage: A [ultimate] (1). Foo Bar <firstname.lastname@example.org> gpg> toggle sec 2048R/13AFCE85 created: 2014-03-07 expires: 2014-06-15 ssb 2048R/D7421CDF created: 2014-03-07 expires: never ssb 2048R/B4000C55 created: 2014-03-07 expires: never (1) Foo Bar <email@example.com> gpg> keytocard Really move the primary key? (y/N) y Signature key ....: [none] Encryption key....: [none] Authentication key: [none] Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 1
gpg> key 1 sec 2048R/13AFCE85 created: 2014-03-07 expires: 2014-06-15 card-no: 0000 00000001 ssb* 2048R/D7421CDF created: 2014-03-07 expires: never ssb 2048R/B4000C55 created: 2014-03-07 expires: never (1) Foo Bar <firstname.lastname@example.org> gpg> keytocard Signature key ....: 743A 2D58 688A 9E9E B4FC 493F 70D1 D7A8 13AF CE85 Encryption key....: [none] Authentication key: [none] Please select where to store the key: (2) Encryption key Your selection? 2
And you have your signature key in the Signature slot of your Yubikey. You're good to go.
To sign your commit, you can just have a look at that (great 😉) article about it on DEV.
As PGP supports encryption, you can use it to encrypt strings. And what is better than an e-mail as a perfect target for encryption.
We just added a key to the Yubikey's Authentication slot to sign the Git commit.
To encrypt messages, we have to add a key to Yubikey's Encryption slot.
Let's do this following what we did above :
gpg> key 2 sec 2048R/17DB29BE created: 2014-11-16 expires: 2018-11-16 ssb 2048R/FAFFECA6 created: 2014-11-16 expires: never card-no: 0006 03036660 ssb* 2048R/A9057450 created: 2014-11-16 expires: never (1) Trammell Hudson <email@example.com> gpg> keytocard Signature key ....: none Encryption key....: D04F 94C6 EF86 C150 9486 3F5C 2695 8563 FAFF ECA6 Authentication key: none Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 1
For all these methods, it is important that you always have a spare method to connect to your account if you are losing your Yubikey.
You can use a spare Yubikey. That means that every time you set up a Yubikey on a service, you have to set up another one (the spare Yubikey) that you are going to save somewhere safe.
And if an attacker has access to the Yubikey (steals it), it can't extract any information from it. So the information saved on it are safe. It is a write only mechanism.
And if you forgot your Yubikey, you can always use another method to connect as on any service I am usnig, there is always another method to connect to the service. So you can use this other method if you set it up.
It is always a matter of compromise between easiness and security.
Thank you so much for reading it to this point. I hope you enjoyed reading it and learn something.
Leave me a message if you set up Multi-factor Authentication on one of your account. An then tried to use your Yubikey to something different than just 2nd-factor authentication.
That would mean a lot to me.