
Se­cu­rity Keys - ikeboy
https://www.imperialviolet.org/2017/08/13/securitykeys.html
======
technion
I'll repeat a comment I made last week:

I love the principle, but I can't use it with AWS, I can't use it with my
bank, I can't use it with my domain registrar, and I can't use it with Office
365. That's 0/4 of the high priority targets for me.

Edit: If anyone from AWS is around, please consider this. Your organisation
has made huge headway in the field of security, but the AWS console logon is a
very high profile target.

~~~
pjc50
Similarly I remember the first organisation that really tried to get me as a
user to care about account security with a hardware token was .. World of
Warcraft. Followed a bit later by the use of TOTP in Steam. Banks meanwhile
are either stuck in the past or have tried bad proprietary solutions.

Domain registrars are an odd one, because so rarely does one need to log in or
do anything - but when you do it may be urgent.

~~~
dalore
Banks in the UK have been handing out hardware fobs. Not USB devices you put
in, but a calculator like interface where you input the challenge they give
you and you type the response back.

I guess it works since it doesn't need anything else special and can easily
work with web flows.

~~~
dannysu
Banks in the US also hand out hardware devices, especially for business
accounts.

I have RSA token device from Wells Fargo for example.

The problem with these is that I need a special device for every single
account. There are two business accounts I have access to and I have to deal
with two hardware devices.

~~~
Latty
The ones in the UK are a standard - every account I have uses the same ones
and they are interchangeable. Everyone I know had one - they are ubiquitous as
the chip and pin standard is here.

------
stouset
As an addendum to this, I'll relate my own experiences.

The YubiKey NEO-n (and I'll assume the more recent 4 Nano) are phenomenal if
you can (semi-)permanently spare a USB-A port. The ability to generate TOTPs
and FIDO tokens without having to dig out your keys is an amazing convenience.

Unfortunately I can't say the same for their 4C, which I'm using with the new
USB-C-only MacBook Pro. The plastic it's made from begins cracking apart
within a month of use, and completely disintegrates within three months,
rendering the device inoperable. To their credit, Yubico has replaced my
device twice so far, but how this made it past their quality control I have no
idea.

I deeply hope they fix the plastic durability on this device, as well as offer
a nano version with USB-C support that I can leave in my laptop permanently.

~~~
kqr
> if you can (semi-)permanently spare a USB-A port

Or use subkeys most of the time and have master on dongle?

~~~
stouset
I don't think this makes sense in the context of a U2F or TOTP device.

------
jlgaddis
I've got several (~7?) Yubikeys: one that Mt. Gox sent me several years ago
(that would only work with their web site!), an old "Symantec VIP" key, a NEO
that's permanently plugged into the keyboard on my workstation, a couple of
Nanos (almost always plugged into a pair of laptops), and a couple of the
U2F-only ones.

I don't think I've ever had any issues with any of them (there was a "bug" a
few years back and they had to "re-issue" some keys) and I really don't have
any big complaints other than they're a little expensive (but I keep buying
them so apparently not too expensive), just a few minor things.

I've never actually used the U2F ones (browser usage is ~90% Chromium, ~10%
Firefox, on Linux exclusively) but maybe I'll get to someday. The NEO and
Nanos get used dozens of times a day as my SSH keys (GPG subkeys) are on them.
They're also used for unlocking LUKS containers at boot (challenge/response,
with a "passphrase"). I do wish it was easier to load (SSL/TLS) certificates
on them -- and I wish they held more of them! -- but I have a bunch of
physical ("real") smart cards so I just use those instead.

Ideally, I'd be able to put certificates on them and use them to authenticate
(Open)VPN clients on both Linux and Windows. That might even be possible today
but, if it is, it's likely way more complicated than it should be.

Oh, also I used the VIP and NEO at one point with LastPass and they worked
great (but I switched from LastPass when LogMeIn bought them).

~~~
sasas
> Oh, also I used the VIP and NEO at one point with LastPass and they worked
> great

Have you tried logging into LastPass on your mobile device? It doesn't require
the token - effectively bypassing the point of requiring a hardware token in
the first place ..

~~~
ago
That was my problem first too, but you can make it require the token on mobile
too. I have it set up that way and I need to tap my Yubikey NEO to
authenticate using NFC on Android. Works great.

------
jessaustin
_If you have a laptop that only has USB-C ports then a USB-A device is useless
to you. Currently your only option is the Yubikey 4C at $50 a piece._

Is there any reason why a $3 A-to-C adapter wouldn't work for this?

~~~
huntsman
Yes the adapters work.

~~~
euyyn
The downside is they're easy to break if they're left plugged in. I'm on my
3rd one.

------
eeZah7Ux
FTA: "U2F Zero ... the only token on Ama­zon that has open source firmware
(and hard­ware de­signs) ... you value the cool­ness fac­tor of it being open-
source"

Coolness factor? The openness of software and hardware is very important for a
security device as this.

We should expect something so critical and simple to be easily auditable.

~~~
dsacco
It's a myth that open source tools are more secure than closed source tools.

Use whatever tool is put out by the team with the most expertise and the least
reason to do something untrustworthy (or alternatively: the most to lose). A
backdoor can persist in open source tools just as easily as it can persist in
proprietary ones, and teams which make open source tools are frequently
smaller and underfunded for secure feature engineering when compared to teams
which develop closed source tools.

~~~
CaptSpify
> It's a myth that open source tools are more secure than closed source tools.

It's a myth that they are _always_ more secure, but my experience has been
that they are _generally_ more secure. I'd love it if we had some statistics
behind this.

I would argue that foss tools have an inherent interest in being more secure,
while closed-source tools have an inherent interest in being less secure.

------
LeoPanthera
These are currently Chrome only. The Firefox extension requires an external
binary and doesn't work in Firefox 57 anyway.

I like the idea of a physical token, but it would need to be more universally
compatible, which seems difficult unless you go the route of one of those RSA
tags with an LCD display on it. But there's no open standard for those, except
for TOTP, and if you wanted hardware TOTP you'd need a separate dongle for
every site. Inconvenient. (I wonder if you could make a TOTP dongle that can
store multiple keys?)

I do use TOTP, but I use 1Password, which means my keys are not confined to a
single device. I wonder how much less secure this makes them, but it's
probably still better than not using 2FA at all.

~~~
bugmen0t
An upcoming Firefox release will get built-in U2F support, no need for an add-
on. It already supports a softtoken (I.e., implemented in software) behind a
pref. Works well for me on e.g., GitHub. But that's unlikely ever to be
enabled by default in a Firefox release.

~~~
bostik
This was a nice piece of news, so of course I went to check the release
schedule.

[https://wiki.mozilla.org/Security/CryptoEngineering#Web_Auth...](https://wiki.mozilla.org/Security/CryptoEngineering#Web_Authentication)
states that FF 56 or 57 should have native U2F support, and 57 or 58 would
have it flipped on for everyone. Promising.

[https://bugzilla.mozilla.org/show_bug.cgi?id=1065729](https://bugzilla.mozilla.org/show_bug.cgi?id=1065729)
is still open, but has seen plenty of progress.

Even with current version (55), one would expect lot of the groundwork to be
in place. And sure enough, searching for "u2f" in about:config brings up a
nice triplet of security.webauth.u2f* keys.

------
idlewords
Security keys are the best. Here are step-by-step instructions for how to add
one (or several) to your Gmail account:
[https://techsolidarity.org/resources/security_key_gmail.htm](https://techsolidarity.org/resources/security_key_gmail.htm)

------
GreaterFool
Somebody please make a Yubikey Nano like key for USB-C. Don't know what magic
would be needed but need something that I can just carry with my laptop that
doesn't stick out all the time. Or make it work over BLE.

~~~
pfg
Yubico is working on a nano-like design for USB-C[1].

[1]: [https://www.yubico.com/2017/01/yubikey-usb-c-
ces2017/](https://www.yubico.com/2017/01/yubikey-usb-c-ces2017/)

~~~
euyyn
That's the one Adam bought and described in the article. It totally sticks
out.

~~~
pfg
It's mentioned in the last sentence of the article:

> We are working on an additional smaller YubiKey form factor with a USB-C
> design akin to the YubiKey 4 Nano, but do not yet have a time frame for
> availability.

------
hdhzy
Unfortunately they are basically unusable on Android. Only Yubikey NEO has NFC
interface and others cannot be used even by USB-C/OTG interface. The support
would have to be implemented in Google Authenticator but it seems they are not
interested in it.

~~~
veeti
Good news, it's coming!

[https://developers.google.com/identity/fido/android/native-a...](https://developers.google.com/identity/fido/android/native-
apps)

~~~
hdhzy
Could you point to where does it mention USB?

I see only:

> The API supports both NFC and BLE U2F devices.

~~~
veeti
Dig a little deeper:

[https://developers.google.com/android/reference/com/google/a...](https://developers.google.com/android/reference/com/google/android/gms/fido/common/Transport)

I suppose USB support might need integration on the operating system level,
whereas NFC and BLE can be integrated through Play Services. It's a start.

~~~
hdhzy
Great! Thanks for the reference.

------
tedunangst
Teachable moment: Five paragraphs explaining what security keys are and why
they're good, then it's off to Amazon to buy one with the search phrase "U2F
security token". The term U2F appears nowhere in the previous five paragraphs.

~~~
jlgaddis
I agree that the author should've at least explained what U2F stands for (at
the least) but, FWIW, both Google and Facebook just refer to them generally as
"security keys" (I presume because they {do|intend to} support other types of
security keys?).

~~~
idlewords
I think the decision to call them 'security keys' is to avoid jargon, and to
give a helpful metaphor to how they work (you need a security key to unlock
your account like you need a car key to unlock your car).

------
saganus
What I'd like to have is a TOTP hardware device that can store multiple keys.

Even though U2F is much more secure, it seems like the adoption is a bit slow,
unlike TOTP which is broadly supported in my opinion.

However using TOTP with e.g. Google Authenticator makes it a pain when you
lose/reset your phone, and it's harder to share, for example for
administration of certain services at a company (say Heroku).

If I had a chance to buy a multi-key TOTP hardware device I could enable it on
every service and then give the administrators one of the devices.

So yeah, ideally I'd prefer broader U2F support, but in the meantime I'd love
a multi-key TOTP device, which I haven't been able to find unfortunately.

Closest thing I know about is the Protectimus Slim NFC [0], but I would to
need to buy two of them for _each_ service, which gets expensive and unwieldy
very fast.

[0] [https://www.protectimus.com/protectimus-slim-
mini](https://www.protectimus.com/protectimus-slim-mini)

~~~
ianburrell
Yubikey Neo can store multiple TOTP keys. Have to use Yubico Authenticator app
to load or read them on Android phone through NFC. There is also desktop app
for USB.

~~~
saganus
I was not aware of that and it does sound like a solution.

However I'd love to have a hardware device that I don't need an app to use. To
load the keys and configure it I have no problem with, but to actually read
the TOTP it would be great if I could just click a button and read a display
instead of having to use extra infrastructure.

Kind of like my 2FA token for my bank, which just requires me to push a button
and that's it.

Thanks for the tip though.

------
rthomas6
Off topic: I like how this website is set up and would like to know how it's
made. Does anyone know what CMS/static generator/whatever it's using?

------
makmanalp
I keep asking this on every key thread and don't get great answers - shouldn't
we care which ones are actually audited by a 3rd party? Should we bother at
all if they aren't? It appears that most aren't, yubikey and nitrokey are the
two that are.

~~~
Tomte
I think U2F keys either work (obviously) or don't.

How could they fail silent? Bind to another URL? No, that's a functional
failure.

Leak cryptographic material to an attacker? I guess not, unless the attacker
controls the web browser, and then all bets are off.

I'm not a security expert, so take with heaps of salt, but I can't see much
exposure here.

~~~
icebraining
_I guess not, unless the attacker controls the web browser, and then all bets
are off._

The point of U2F is to avoid trusting the system, including the browser.
Otherwise, what's the point over using just a password manager?

~~~
Tomte
No, that's obviously not the point, because U2F cannot do that.

The point is to combat phishing.

~~~
mcpherrinm
Then why not use a software token built into the browser or OS?

Having a hardware dongle is absolutely about preventing malware on the PC from
making off with your key material. That's also why you usually have to press a
button to complete the U2F flow.

~~~
pfg
You're not wrong, but for most sites, there is very little difference between
extracting the U2F key and a session key, from the victim's point of view.

Exceptions to that rule include sites that do things like what GitHub calls
"sudo mode", where you have to confirm certain security-sensitive actions with
another U2F confirmation. This would require more effort on the attacker's
side, as they'd have to trick the victim into performing a U2F confirmation.
More effort, but far from impossible: simply display a fake login prompt for
the victim, but instead of logging in, perform whatever malicious action you
want to perform. Session keys might also be less persistent (they're limited
to something like 30 days on Gmail, for example), so that's another small
advantage if the attacker wants to keep their access over long periods of
time.

Still, for the vast majority of sites and threat models, hardware keys aren't
a whole lot better. If it's easier to get adoption for soft keys, that might
be a worthwhile trade-off. Natively supported TPM/SEP-backed keys would
probably hit the security/UX sweet-spot.

------
argentinaIT
Has anyone build a U2F + PIV device? I need a device that does both u2f and
digital signatures (like in standard PKI) Only nitrokey says they are working
on something like that, and Yubico doesn't care to answer emails about this.

~~~
mbthomas
I think the Yubico 4 series would do what you want. They supports U2F, GPG,
and PIV: [https://developers.yubico.com/yubico-piv-
tool/YubiKey_PIV_in...](https://developers.yubico.com/yubico-piv-
tool/YubiKey_PIV_introduction.html)

------
jwcrux
U2F/UAF/Webauthn are a really interesting chicken/egg problem.

Right now, not too many providers support these auth protocols, even though
they are more secure than current 2fa alternatives and provide a better user
experience. The aren't widely supported because that costs development time
and many of their customers don't have security keys.

Customers won't buy security keys because it's an added cost that isn't
supported by many websites.

The author of the post briefly mentions SoftU2F at the bottom of the post, but
it's important to recognize how significant SoftU2F is to the U2F ecosystem.

We're just now starting to see consumer hardware come with HSM's built in.
Apple SEP, Intel SGX, etc. are examples of this. SoftU2F _will_ be able to
leverage these consumer HSM's to do secure crypto operations - see the pull
request at [0] about storing keys in the SEP. This will effectively put U2F
and UAF capability into the hands of your average consumer with no additional
cost. Things can be just _built-in_, which is what it'll take to start seeing
increased protocol adoption across browsers and service providers.

I'm stoked about the future of security keys and the associated protocols.
Both external keys and HSM's built directly into consumer hardware.

[0]
[https://github.com/github/SoftU2F/pull/29](https://github.com/github/SoftU2F/pull/29)

~~~
weeks
While I absolutely agree with you, it seems far more likely that native
implementations by Apple, Google and Microsoft will dominate the market.
Windows Hello is a great early example of this.

~~~
jwcrux
I hope they do. Wouldn't that be incredible? Having _native_ U2F/UAF built
right into the browser.

The hard part is that there's another more subtle chicken and egg problem when
it comes to software implementations and consumer HSM. Google/Apple/Microsoft
will likely only really push forward native implementations when there is
enough market share for consumer hardware having HSM's built in to make it
worth it with feasible fallback options.

~~~
jlgaddis
It's too bad that TPM usage never really took off. TPMs would have (in theory)
been great for this use case that U2F is addressing.

~~~
mjg59
Not entirely, since there's no easy way to tie physical presence to secret
availability

------
pmoriarty
My main concern is getting access when the security key breaks or I lose it.

For this, it's imperative that there's either another way to get access or
that I associate a 2nd security key with the service I need access to. Of
course, it's possible that the 2nd key breaks or is lost.

At least with hard drives, it's common for two hard drives manufactures around
the same time to fail around the same time, so I'd be concerned with the
possibility of that happening with the two security keys as well.

~~~
chaz6
I have 2 keys, one stored in a safe place. They are cheap enough that you can
have several, but then it becomes a challenge to keep your various accounts up
to date. I wish that openid was still well supported as I would like to have
one authentication provider for all my online accounts.

~~~
Corrado
So, when you join a new site that supports U2F do you have to retrieve your
"extra" key and join it to the site? That seems quite fragile and fraught with
danger. :(

------
cromantin
I've been using Yubikey as my 2-nd factor password source for years. It's
great. I would have even thrown away second factor if yubikey could have
unlocked macos FileVault.

What's 2-nd factor password? Well, basically yubikey stores just long text
string, and another, shorter string, is stored in my brain. When i login i
enter short string, then press yubikey.

To steal my data you don't only need to steal yubikey but also get my part of
the password from me.

~~~
jakob223
If you just use the yubikey to store passwords, though, then you're vulnerable
to a
[https://en.wikipedia.org/wiki/Replay_attack](https://en.wikipedia.org/wiki/Replay_attack)
.

~~~
kelnage
[-You would be correct if-] It seems you are correct when the protocol works
as described in the parent comment.

[-But it so happens that the-] Of course in OTP mode, the YubiKey protocol
protects against replay attacks by using a counter on the YubiKey. This
(authenticated) counter value is included in the messages that are exchanged
during the authentication - and hence any replays can be detected/ignored as
the counter value will be less than or equal to the last received counter
value.

Edit (deletions marked with [- -]): I had no idea people used modes other than
OTP with their YubiKey...

~~~
cromantin
Unfortunately parent is right. What you describe is using generated one time
passwords. But there is no way (to my knowledge) to incorporate 2nd string
into it.

Ex: right now - myPass<boop the yubikey><long password from yubikey followed
by linefeed>

with otp - myPass<boop><hashed and signed one time password that no nothing
about myPass>

~~~
kelnage
Wow, I had no idea YubiKey offered that mode of operation. I had assumed it
was purely used as a OTP. Do you know of any documentation for it?

~~~
cromantin
This was like 6 years ago :) If i remember correctly it was
[https://www.yubico.com/wp-
content/uploads/2015/11/Yubico_Whi...](https://www.yubico.com/wp-
content/uploads/2015/11/Yubico_WhitePaper_Static_Password_Function.pdf)

I had a blog post some time ago -
[https://varamashvili.blogspot.com/2012/09/using-yubikey-
with...](https://varamashvili.blogspot.com/2012/09/using-yubikey-with-
filevault-2.html)

I should note that currently i'm thinking to migrate to OTP and use brain-
string (password that i remember) for filevault and mac login. I will try
using OTP for sudo, maybe keychain, will try to add gpg subkey there and see
how it'll go.

------
devy
I just recently bought a Feitian ePass FIDO NFC U2F security key. It works
great with Google, Dropbox, GitHub and Facebook.

Considering Feitian ePass FIDO security key's pretty good quality (injection
molded and sealed key), great price point (with the special, it was almost
half the price of lowest Yubico keys yet still NFC capable), it's gonna be my
next go-to choice for future U2F keys.

------
drewg123
What's the current state of U2F with Firefox?

The last time I tried to use U2F on Firefox, I had install an extension, and I
had to change my user agent string to Chrome to even be offered U2F on most
sites, including my employer's DUO based auth system.

This caused no end of headaches, because my employer would ... helpfully...
send me nagging email about using an out-of-date browser, due to the user
agent strings specifying some older version of Chrome.

~~~
jimktrains2
[https://bugzilla.mozilla.org/show_bug.cgi?id=1065729](https://bugzilla.mozilla.org/show_bug.cgi?id=1065729)

Someone wrote an add-on, but it doesn't work in nightly.

[https://addons.mozilla.org/en-
US/firefox/addon/u2f-support-a...](https://addons.mozilla.org/en-
US/firefox/addon/u2f-support-add-on/)

~~~
drewg123
I think that's the extension I was using.

I fear that even once Firefox has native U2F support, websites may still be
checking for a Chrome agent string.

------
confounded
I imagine the answer is "because it's not on Amazon", but I wonder why they
didn't review the Nitrokey?

[https://www.nitrokey.com/](https://www.nitrokey.com/)

Despite being a little fat and ugly, it seems like the best of the devices to
me (I'll be ordering one soon).

------
baby
The nano is my favorite one as well. It's so unintrusive. Now I hope agl is
writing this because he's looking into making these keys more useful. Because
right now the usecases can be counted on one hand.

------
anoother
I have a HyperFIDO Mini and a Key-ID and have had no problems with them across
at least 3 machines.

Very surprised about them causing reboots (I assume this means hard resets?)
on the reviewer's computer.

~~~
idm_guru
I prefer my HyperFIDO Mini. The Nano sends OTP text if you accidentally brush
into something, and it's very awkward to get out. The light is "blinding" ???
That is ridiculous...

------
jlgaddis
List of sites that support 2FA (and which methods, including U2F):
[https://twofactorauth.org](https://twofactorauth.org)

------
teddyh
Not listed: [http://wiki.seeed.cc/FST-01/](http://wiki.seeed.cc/FST-01/)

------
voiper1
ELI5 why these are unphishable?

~~~
Tomte
In phishing, bad guys lure users to site B while users believe they are at
site A.

Users enter their credentials and game over.

The important point is that users are deceived, but not the web browser. The
browser knows perfectly well, that the URL is amazon.com.something.com, the
problem is that it has no expectation which URL is the one the user has in
mind.

With a U2F key it's the same scenario. But the browser tells the key "this is
for amazon.com.something.com" the key incorporates that into it's
cryptographic input, so it's "bound" to that URL.

Later the bad guy presents the key's output to amazon.com, and now the server
has an expectation that's not fulfilled: "I'm sorry, that's not for me".

~~~
pmoriarty
What happens if the attacker spoofs DNS?

Also, the scheme you describe requires the user to trust the web browser. But,
if the web browser is, say, on a public computer, it can't necessarily be
trusted.

~~~
pfg
> What happens if the attacker spoofs DNS?

They would also have to get a publicly-trusted TLS certificate for that
domain. U2F is HTTPS-only, at least on Chrome. If the attacker can do that,
you have bigger problems.

> Also, the scheme you describe requires the user to trust the web browser.
> But, if the web browser is, say, on a public computer, it can't necessarily
> be trusted.

No one has really solved secure authentication on a compromised system. I dare
say it's not a problem that can be solved.

~~~
StavrosK
Can you reuse tokens, or use previous ones? It seems that, even if the browser
were compromised, the key should still be safe, as the user has to use one
response to log in. If the response can't be reused, and the challenge can't
be reused to generate a new response, the user should be safe, no?

Basically, if the site sends a random nonce to sign, I don't see how you can
reuse things. The most you can do is have the browser sneakily and remotely
authenticate you on your computer (if you're the attacker), but the user still
needs to press the button.

~~~
pfg
I think you're making this too complicated, unless I'm missing something. If
your system is compromised, the attacker can steal your session key (from your
cookies or whatever else the site uses). That's just about as good as your U2F
key, with some defense-in-depth exceptions that I mentioned here[1].

[1]:
[https://news.ycombinator.com/item?id=15044826](https://news.ycombinator.com/item?id=15044826)

~~~
StavrosK
It is, but it doesn't mean the U2F key is compromised, that's what I was
wondering.

~~~
pfg
Ah, yes. The key would not be compromised and U2F is safe against replay
attacks.

