
Yubico launches its dual USB-C and Lightning two-factor security key - jeromegv
https://techcrunch.com/2019/08/20/yubikey-dual-usb-c-lightning/
======
archi42
That sounds nice. But while using U2F/FIDO for a few years (with two
HyperFIDOs, one for "daily" use attached to my key-chain, the other as a
backup in a safe), I found the most common problem was that websites/services
don't tread these keys as first class citizens. For example GitHub: I have my
two keys setup there, but I can't opt-out of SMS authentication.

If I knew I could use my keys at more services, I would already have upgrade
the daily driver to a NFC variant (so I could use it with my phone).

So, to any webdevs on HN reading this: Take that shit serious and implement
2FA ;-)

//edit: GitHub is just a single example; and it's possible to opt-out of SMS,
if a authenticator app is used instead. That's what I mean by second class
citizen: Security Key(s) + X is possible, but while X alone can be configured,
Security Key(s) alone is(/are) not allowed.

~~~
cj
Last year I got the Google Titan security keys and connected it with all of my
work + personal accounts that support it.

The #1 weakness is the simple fact that many services don't allow you to
disable alternate forms of 2fa.

Github is an example, you can always trigger the fallback SMS 2fa code.

Dashlane is another example (and arguably the most important). It's impossible
to make your security key the only form of 2-FA. If you have a security key on
your account, you _must_ also have regular app-based 2-FA enabled as a fall
back.

What's the point of using security keys with services that require regular SMS
or app-based 2-FA as a fallback?

Edit: G Suite is one of the few services that got it right. G Suite has an
optional security control that when enabled, forces authentication using
security keys (explicitly forbidding alternate 2-fa methods).

~~~
Macha
My understanding is the issues that lead to U2F being considered to be better
than TOTP were mainly about it being phished easily compared something which
will only dispense the right code with the right challenge.

But if you never actually login with TOTP, and always use your U2F key, then
does it actually decrease security to have it as a backup/removal option and
you know that's the only reason you'd enter it.

It feels like its competition there is "convince phone support with a sob
story" and TOTP feels like a clear step up from that.

~~~
antsar
TOTP is one thing. Having your backup TOTP key locked in a safe effectively
stops it from being abused.

SMS 2FA, on the other hand, has real security issues[0][1]. In my experience,
SMS 2FA is most commonly the required type of 2FA, before you can add TOTP/U2F
as a secondary.

SMS 2FA is the hardest to lose or break, so forcing everyone to keep it
enabled minimizes support costs for the provider.

[0]
[https://www.theregister.co.uk/2016/07/24/nist_says_sms_no_go...](https://www.theregister.co.uk/2016/07/24/nist_says_sms_no_good_for_authentication)

[1] [https://duo.com/decipher/reddit-breach-illustrates-
dangers-o...](https://duo.com/decipher/reddit-breach-illustrates-dangers-
of-2fa-over-sms)

~~~
yborg
The other thing driving SMS 2FA is that this is a clean way for the site/org
to get their hands on a real phone number for you with no extra effort.

SMS 2FA has been repeatedly proven to be trivial to break with a simple phone
call to a mobile provider, since there so far is no downside at all that I am
aware of to the providers. If someone jacks your SMS and drains your bank
account, at least in the US your mobile provider just goes "oops". Until there
is some penalty for them allowing your number to be ported without your
consent, SMS is essentially useless for real 2FA security. Even if the account
security was foolproof, though, it still is vulnerable to SS7 routing attacks.

------
haunter
I tried the quiz to get a recommendation but it finishes in an endless loop >
learn more > quiz starts again

[https://www.yubico.com/quiz/](https://www.yubico.com/quiz/)

Also can anyone explain the multiple models too me?
[https://www.yubico.com/products/yubikey-
hardware/](https://www.yubico.com/products/yubikey-hardware/)

Say I want an USB-A key, I can choose from three and they all have different
prices. The Security Keys are less secure than a FIPS or a 5? Maybe I'm just
too end user but the multiple choices to me are the exact opposite of the easy
to use principle. The whole product page is just confusing.

~~~
munchbunny
Short version: the FIPS is for enterprise. The Security Key is for consumers.
The 5 series is for enterprise or power users.

This might be more useful for you: [https://www.yubico.com/products/yubikey-
hardware/compare-pro...](https://www.yubico.com/products/yubikey-
hardware/compare-products-series/)

You want the Yubikey FIPS if you're using it in a context where FIPS
compliance matters, such as US government. If not (such as for personal use),
then don't bother.

The Security Key series is the budget minimal "works as a FIDO authenticator".
It lacks the bells and whistles that come with the 5 series. AFAIK it is not
"less secure," it just lacks bells and whistles.

The 5 series works as a FIDO authenticator, but it also includes PIV
capabilities (smartcards, PGP, etc.), which allow you to do stuff like this:
[https://developers.yubico.com/PGP/SSH_authentication/.*](https://developers.yubico.com/PGP/SSH_authentication/.*)
The PIV capabilities matter more in the context of enterprise/government
applications where smartcards have been in common use as a 2nd factor for many
years, which makes having an all-in-one smartcard+FIDO device very convenient.

* Caveat: I recommend against using your Yubikey for SSH private/public key authentication unless your SSH setup also requires a password. Single physical factor is worse than having a password protected key pair in your ~/.ssh folder.

~~~
polack
The Yubikey requires a password by default to use the ssh key stored on it and
it will lock itself after 3 failed attempts. So I don’t think your caveat is
valid. I rather have my encryption key on hardware design to keep anyone who
finds it from brute forcing it than just password protected on a hard drive.

~~~
munchbunny
Yup you're right, I mixed up the PIV behavior with specifics around FIDO2 vs.
U2F PIN policies.

------
s3cur3
I was an early, enthusiastic adopter of Yubikeys at my work. Above and beyond
the other issues people have mentioned, though, the one that _kills_ the
product for me is the frankly stupid OS integration. The key behaves like
“just” a special kind of keyboard which types a long string of gibberish and
then hits enter any time you touch the trigger.

I can’t tell you how many times I have accidentally bumped the thing and
thereby entered my secret key in:

\- text editors \- the URL bar of my browser (!) \- Slack chats (!!)

The solution seems obvious to me: make a new type of input field at the
browser and OS level which accepts U2F input, then reject that input in any
text field that doesn’t opt in.

This one issue has made the key way more of a liability than a simple
authenticator app for me.

~~~
sigwinch28
What are you talking about? The default configuration definitely does not type
your _secret key_ , but a one time password.

The entire point of the default configuration is that the secret key is stored
only on the device and never leaves it.

~~~
sigwinch28
I should clarify: the secret key should never leave the device after
configuration is completed.

------
sakisv
I think I'd preferred if they offered a USB-C and USB-A combo.

~~~
ch
Something like this would suffice, if it was simple to keep along side the
key: [https://tripplite.com/usb-c-female-to-usb-a-male-
adapter~U32...](https://tripplite.com/usb-c-female-to-usb-a-male-
adapter~U329000)

~~~
ericpauley
I use USB-C devices almost exclusively and opted the other way around,
carrying a USB-A variant with a C-A adapter. A few reasons:

* The A variant yubikey is crush resistant and mechanically simple for a longer life.

* The adapter acts as a form of connector saver for my yubikey, since I usually keep it physically attached to the yubikey itself. With this approach both wear-prone sides (C male and A female) are on the adapter, which costs as little as 1/50th the price of the yubikey.

------
deanclatworthy
Strong advise anyone considering putting one of these on their keychains to
consider otherwise. The actual connector of my usb-c version has warped in my
pocket over time and it’s now not recognised.

~~~
jwr
The USB-A version is great. I've been using it for more than a year now and it
has taken all kinds of abuse.

I'm considering keeping it and using a small USB-C -> USB-A dongle. I have to
live a dongle life anyway (because of the stupid Apple decision to go all-in
on USB-C, with users as hostages), so it doesn't matter that much.

------
specto
Check out solokeys, though they're doing a hardware revision for the usb-c
since it was flimsy and some NFC changes due to power draw

~~~
hoytech
Solokeys are great. They also have a crowdsupply for a smaller form factor
version (USB-A only for now):

[https://www.crowdsupply.com/solokeys/somu](https://www.crowdsupply.com/solokeys/somu)

------
jpalomaki
Product page: [https://www.yubico.com/products/yubikey-for-
mobile/](https://www.yubico.com/products/yubikey-for-mobile/)

------
throw0101a
Handy table comparing their 5-series options:

* [https://www.yubico.com/products/yubikey-hardware/compare-yub...](https://www.yubico.com/products/yubikey-hardware/compare-yubikey-5-series/)

Seems the main questions to ask yourself are:

* is NFC desired?

* do you need/want USB-A _or_ USB-C?

This product adds a Lightning option.

~~~
sebazzz
Is there no lightning to USB A adapter? Seems a bit wasteful to buy another
key for a currently very limited ability in iOS.

~~~
ganoushoreilly
While limited today, there are a bunch of applications in beta testing that
leverage the key. I personally have a small keychain usb-c to A adapter that I
use with my Yubikey Neo. I guess all in they decided a Lightning and USB A
option wasn't as smart given most mobile devices are Lightning or USBC moving
forward.

~~~
throw0101a
The smartphone choices are Android and iOS, and those use USB-C and Lightning
(respectively).

I think they can actually reduce their offerings to two:

* USB-C and USB-A

* USB-C and Lightning

NFC on both variants.

------
dzhiurgis
Is there any security cards that just use NFC (with physical button,
obviously)?

I think government issued cards are good contender for this. Perhaps it could
even replicate certificate authority chain principles - certain cards could
sign other cards and then can be invalidated if compromised.

My local id card is absolutely pathetic. I have no idea where to get a reader
(although they are generic) and worst part is requirement to run Java applet
in your browser - something that has been dead for over 10 years...

~~~
mschuster91
> I think government issued cards are good contender for this.

For this, devices would have to support real NFC in the first place.
iPhones/iPads don't allow app usage of NFC, and the flagship Samsung tablets
don't ship with it at all.

~~~
vinay427
Most modern Android phones, or at least the Samsung ones and probably Google
ones I have used, allow for virtually full read/write NFC access as far as I
can tell.

~~~
mschuster91
That would require NFC support in the first place. Just imagine: all flagship
tablet models of Samsung do not ship with NFC. What kind of nonsense is that?!

------
anilakar
There's still one huge disadvantage with hardware-based FIDO U2F tokens:
There's no good way to migrate from one to another. I've got three(!) Yubikeys
of different generations on my keyring because I'm not sure whether I have
enrolled the two newer ones to all the services I'm using.

~~~
ahelwer
The absolute dream is to have a single nonprofit OAuth identity provider
against which people can prove their identities with FIDO U2F, then use the
issued tokens to auth with services of their choosing. Building this network
is incredibly hard, though (what website would accept an identity provider
without any users, and what users would use an identity provider not accepted
by any websites?) so the most popular implementations are hosted by Google or
Facebook - but there you have all the obvious privacy issues.

------
kossae
I thought Yubikey NEO supported NFC on iPhones. I remember reading there was
some flaky support for a while, then a new SDK was released for iOS 11. Is
there any advantage to using the pluggable Lightning Yubikey over the NEO?
Perhaps better app support?

~~~
Fnoord
The NEO is a Yubikey v3. It supports NFC. v3 is the last FOSS one, but it does
not support FIDO2. If you want a YubiKey with NFC which supports FIDO2, you
need a YubiKey 5 (NFC version). Or a Solo with NFC (the Solo support FIDO2 and
is FOSS).

I happen to have one of the InCharge chargers as keychain [1] and what is
interesting is that it is 3 chargers in one: one's always USB-A, other one is
either USB-C or microUSB/lightning. So they combine microUSB with lightning on
the same connector. I wonder why YubiCo did not go with a similar design.

[1] [https://www.indiegogo.com/projects/incharge-universal-one-
ca...](https://www.indiegogo.com/projects/incharge-universal-one-cable-to-
rule-them-all)

~~~
timothy-quinn
In my experience too with testing the NEO, they're just not as reliable to
work with compared to the later models (both over NFC and USB). I believe the
NEO was the first to bring in new features for the Yubikey, and the kinks
weren't all ironed out yet.

If you have a NEO still, I'd recommend at least upgrading to a 4 if you can.

~~~
Fnoord
My NEO is my backup key. My YubiKey Nano 4 is my main key. I also got 2 Solo,
but they only do Fido 2 (not SC) so they're not very useful for me. Though one
will, once I got my next phone (will have NFC).

------
stratosgear
I would much rather back SOMU.
[https://www.crowdsupply.com/solokeys/somu#products-
top](https://www.crowdsupply.com/solokeys/somu#products-top)

~~~
falcolas
Which supports neither Lightning nor USB-C (not to mention that isn't funded
yet).

------
OJFord
Does the 5C/Nano work with Android phones with USB-C?

I thought I was waiting for a 5C NFC, but maybe I've been overlooking the
obvious. For some reason it never occured to me that it might work plugged
directly into my phone if only it had the right shape.

(I have a 5 Nano, which was great until I got a USB-C Macbook and broke
several keychain adapters before giving in and buying one of those hubs that
stick on one side converting the 2x USB-C to the same + USB-A, HDMI, and SD.)

~~~
hatfortguy
This is what I do. The USB-C one's work on Android just fine but it's a little
less intuitive; the YubiAuth app still complains if NFC is disabled and you
might have to turn on OTG for the key to be recognised (which auto turns off
on some phones after 10 mins).

------
bitxbit
Just out of curiosity, is Apple migrating away from Lightning toward USB-C?
$70 for one key is a bit steep especially if Apple eventually shelves
Lightning on iPhones.

~~~
ssully
So far it sounds like the next iPhone will still use lightning, so you should
be safe using this Yubikey for a few years at least.

~~~
smacktoward
It would be _deeply_ frustrating if Yubico were to spend years coming up with
a 2FA product that works with iDevices, and then a few months later Apple were
to throw out the interface that product depends on and thus instantly make it
completely obsolete.

(One would hope that Yubico and Apple have been in touch with each other at
least the minimal amount that would be required to avoid such a fiasco. But
given Apple's penchant for secrecy, who knows?)

~~~
vinay427
Current iPhones will at least be commonly in circulation for a few years, so
it wouldn't be a complete waste.

------
kop316
I actually had the chance to try out a prototype at Blackhat. I was actually
able to have the USB-C portion recognized on my Android Phone (via the USB
port), and it was recognized in Firefox and lsusb (though for some reason I
was unable to register it, and I has the u2f enabled in about:config).

I am tempted to buy it to see if I could get it to work on my phone, I would
much rather have the USB-C work on my phone than an NFC.

~~~
ecesena
Any usb-c key should work on Android. Firefox has been recently updated to
support webauthn, so you no longer have to turn u2f on. Note that some sites,
like Google, only allow you to register the key on Chrome, but then you can
use it on Firefox too.

~~~
kop316
Heh. neat, thank you! I will have to try it out then. I tried to register it
on my Nextcloud instance, so I was surprised it didn't work.

------
moduspwnens14
Does it do U2F on an iOS device?

~~~
fheld
Partly, does't support new iPad pro and only in Brave browser

> At launch, it’ll support these well-known password managers and single sign-
> on tools: 1Password, Bitwarden, Dashlane, Idaptive, LastPass, and Okta. And
> when using the Brave browser for iOS, the YubiKey 5Ci can be used as an
> easier way to log into Twitter, GitHub, 1Password’s web app, and a couple
> other services.

see
[https://www.theverge.com/2019/8/20/20813129/](https://www.theverge.com/2019/8/20/20813129/)

------
giancarlostoro
> Security keys offer almost unbeatable security and can protect against a
> variety of threats, including nation-state attackers.

Alright, I'm not a security expert, but I'm not completely illiterate to basic
computer security. Anyone care to chime in how this is much more secure than a
two-factor app?

Sure there's the obvious, nobody can just copy the two-factor app off my phone
with all the codes and have the same codes (I've upgraded phones and taken my
codes with me before...) but whose to stop someone from cloning a Yubico key?

Again I'm not an expert, but I do want to know if this is purely marketing
hype or if there's some security to Yubikey and friends that I'm not aware of.

Also pardon me if I confused two-factor as the Google Authenticator app. Too
many "factor" terms get a bit confusing after a while.

~~~
mightybyte
> whose to stop someone from cloning a Yubico key?

That is precisely what these devices are designed to stop. The device has a
private key stored in hardware in a way that it cannot be retrieved by
software. When you use one of these devices you dramatically decrease your
number of attack vectors because now the attack has to happen physically.
Someone has to actually steal your physical key. And because this is your
"second factor", if that happens they still also have to have your password.

Two-factor apps get closer to this, but they usually can be copied. For
instance, 1Password can be set up to mimic Google Authenticator.

> I do want to know if this is purely marketing hype

This is most definitely NOT marketing hype. It is the current security best
practice.

~~~
giancarlostoro
Impresive, have they had external security firms try to steal the private key?
Thats my final thought.

I guess it makes sense. By the time an adversary gets your key you would of
noticed and have locked that key from your account.

~~~
devonkim
Lockheed has a great deal of their MFA keys compromised because the factory
that manufactured them had been breached for a while and nobody had noticed.
Supply chain attacks are performed constantly against large, known entities
and this case shows why they are so pedantic about security and justified in
their paranoia. The problems have been execution of the policy and the costs
of compliance.

~~~
giancarlostoro
Ah this sounds familiar... Probably saw the article here on HN ages back and
forgot. I mostly ask cause I don't have one of these keys but if I were to
consider getting one I'd want to know what a good option would be.

~~~
tialaramex
You should look for a vendor which understands that knowing the secret key
inside the Security Key (that's how all the vaguely cheap ones work, they have
a random secret AES key inside them, that's enough to do everything else
securely) is a terrible idea and so they should arrange for the key to be
chosen randomly and never recorded at all.

With SecurID and similar technologies vendors technically didn't need to
retain the secrets inside those devices after they'd been manufactured and
shipped, but you can see the practical temptation.

On a smaller scale, since the system doesn't use a shared secret you should
just swap a brand new Security Key with somebody else or if deploying to an
organisation just muddle them and let people pick whichever one they want. You
don't care which key you have, the more random the better.

------
bfirsh
The Yubikey website is vague, but it seems like the lightning end only works
with a few apps (1Password, Brave, etc). What do I do if I want to sign in to
anything else that needs 2FA? Do I still need a TOTP app?

~~~
timothy-quinn
From what I've heard from Yubico the next version of iOS is going to make it
far easier to communicate with the device. Integrations will probably still
need to be added by the app developers though to take full advantage.

~~~
bfirsh
Do you know whether that includes websites in Safari? If I can’t use 2FA for
that, I don’t see how I can use a Yubikey.

~~~
timothy-quinn
It's hard to say until we see it in action. I'm optimistic, but with Apple's
track record of hobbling integrations in annoying ways I'm still a little
hesitant.

I really do want them to work fully though so I can extend my product to
mobile too. I know a lot of people now that have gotten rid of their computers
and just use their phones for everything.

------
ryanmarsh
Serious question: If Safari doesn't support U2F/FIDO what good will a
Lightning based Yubi key do me?

To be clear, I'm not knocking the use of these keys. I have Yubi Nano on my
laptop and love it.

~~~
brisance
You can download Chrome, Firefox and Opera from the Apple App Store.

------
miguelmota
This is awesome, been waiting for this for quite a while. The Google Titan
bluetooth support never worked on my phone so it’s cool that I can plug it in
directly now with this YubiKey.

------
exabrial
On an iPhone, will this work when you try to login to your google account in
system prefs? It's been my experience with Bluetooth Fido keys that this does
not work.

------
Slippery_John
To those that have yubikeys: are they actually durable enough to keep on a key
chain?

~~~
filleokus
The USB-A versions are practically speaking indestructible. I've had them for
over 10 years now without any problems.

The USB-C versions look much more fragile though...

~~~
lxgr
They actually feel very robust. I've been carrying mine around on a keychain
in my pocket for a year now and it works flawlessly.

