
Adding a security key to Gmail - idlewords
https://techsolidarity.org/resources/security_key_gmail.htm
======
lrvick
I would advise against Google Authenticator as a backup as it really defeats
the point of a hardware token.

Google Authenticator stores the TOTP secret in plaintext on your device where
the potential exists for it to be stolen. An adversary that exploits your
phone can generate TOTP tokens as they like and ignore the fact you have a
hardware token. If you are going to use Google Authenticator it is your
weakest link and a security token buys you no added security, only ease of
use.

The typical goal of a security token is to be able to assert: "No one can log
into my account without this physical device or an offline backup token from
my safe"

To acheive this consider a device with built-in TOTP support in addition to
U2F. All current Yubikeys fit the bill here as as well as some Nitrokey
models. Desktop or Android users can use the either USB or NFC devices but it
is worth noting that iOS lacks support for either which means you would need a
desktop or Android device to fetch TOTP tokens for an iPhone.

You can use the open source "Yubico Authenticator" apps to store your TOTP
secrets in your key alongside your U2F secret. Now both methods use the same
hardware and your phone/computer only get handed OTP codes from the key if
present, but can't generate them itself.

Added bonus is now you can now use security token backed login even on the
majority of sites/browsers today that lack U2F support.

Extra bonus is these keys can be used for ssh without any server changes.
Security token all the things :)

~~~
tptacek
The attacker who gets access to the filesystem of your phone can almost
certainly defeat any "encryption" a TOTP authenticator would use to protect
secrets, so the premise of phone-based authenticators is that your phone isn't
going to get compromised.

This is reasonable when you consider that if your computer --- the least
secure device you own --- is compromised, your attacker is virtually certain
to get your email account with it, because you'll have (at some near point) a
logged-in session.

Meanwhile: the #1 concern that laypeople have about security tokens is that
they'll be locked out of their account when they lose the token. Authenticator
(or Duo) is a perfectly sane answer to that concern.

Finally, it's worth adding that at least the last time I helped someone set
this up, you can't remove your phone number as a factor from your Google
account until you have TOTP set up. Your phone number is an extremely insecure
login factor.

We use, and recommend, Google Authenticator as a backup login factor.

We do not recommend Yubikey 4 keys for normal users. Nerds on HN might get a
kick out of them; I say, go ahead and enjoy yourself. We're trying to solve
problems for people who aren't computer experts.

~~~
lrvick
Yubico Authenticator is a fork of Google Authenticator and is a drop-in
replacement.

I have never had any problem helping someone that has used google
authenticator set this up. Scan barcode and tap.

Also users have a much easier time when they get a new phone. Just tap to new
phone and get codes. There is no data to transfer.

As for people getting locked out, that is what the printable backup codes are
for, or a secondary key, depending on your threat profile.

In a corporate setting this is a non-issue as an admin can bail you out.

~~~
tptacek
That's a desktop TOTP application. Now not only do they have to have their
computer with them to log into their Google account from their phone, but they
have to have 2 security keys on the account to remove their phone number from
it, and all their backups are physically separated from them, so unless they
bring their backup codes with them when they travel, if they lose their key,
they're boned.

And all this for what real additional security?

If you want to nerd out and get your security key to do pet tricks like
handling your TOTP secrets, I do not have a problem with that. But please
don't tell ordinary users they're wrong when they don't do that.

~~~
lrvick
I have Yubico Authenticator installed on my phone and my desktops/laptops.

The android app is a direct fork of google authenticator and has nearly
identical UX.

I tap/plug my key to either of them to get a token.

If you want to make the argument TOTP via hardware token is overkill for most
users, that is totally fair. On that note though, there is no point in having
hardware token via U2F.

Security is ahout the weakest links. All I am saying is anyone going through
the trouble to set up U2F as this guide suggests, might as well spend the
extra 10 seconds to store their TOTP secret on the key as well, vs exposing it
on the phone.

I assume someone that has a hardware token is getting it for a reason: To have
assurances an attacker can't log in as them without that token.

~~~
dsacco
I disagree with regards to your risk analysis.

Your cost/benefit considerations prioritize relatively _miniscule_ security
improvements without considering usability costs or diminishing returns. While
we're at it, why don't we just use one-time pads? After all, those are
impervious to any form of cryptanalysis.

The risk profile for most users does not require a hardware-based auth factor
if it results in _real world_ usability sacrifices that end in either 1)
accidental misuse or 2) gradual disuse.

You're optimizing for someone compromising the device, great. But the point is
that if that risk if on the table, all of this work is essentially meaningless
anyway.

~~~
idlewords
"if that risk if on the table, all of this work is essentially meaningless
anyway"

I can't agree with this strongly enough. If someone's willing and able to hack
your iPhone, then you need more help than a random art major writing a yubikey
howto can give you.

~~~
orbitingpluto
Just an offshoot thought, but some random art major writing one of these
guides giving a bird's eye overview of the entire process is something most
businesses should be able to do themselves. But they don't.

------
hdhzy
U2F has some interesting properties. It cannot be phished (browser sends
origin to the token), binds the credentials to username (you can use one token
multiple times), can be attested (e.g. server can trust tokens only from
manufacturer X), uses asymmetric crypto (P-256) instead of shared secrets.

------
samdk
Thanks for writing this!

One nitpick: the guide says "If you're curious why it's important to not have
a phone number on your account, see the security key FAQ", but the linked
security FAQ doesn't actually appear to say why it's important.

~~~
idlewords
Sorry about that, I'm updating that FAQ next.

The answer is that SMS is not a secure second factor (it's easy to hijack and
eavesdrop on), and in some cases when you give a service a phone number, it
becomes possible to take over the account with just control of the phone
number.

~~~
joshgel
Google now offers "Google prompt" which sends a push notification to your
phone through the google app. How secure is this method?

~~~
idlewords
Much better than SMS, but not as good as a security key, because if you can
fool someone into logging in to an impostor site, you can get their email
account.

It would be a reasonable backup in place of (or in addition to) Google
Authenticator.

------
lyrrad
The article says that any key will do. Is there any concern with buying a less
expensive security key from a less established company, or even a third party
seller on a site like Amazon? Could a malicious entity make an intentionally
weak security key and sell it? How would such an attack be detectable?

~~~
lrvick
I would stick to things like nitrokeys/yubikeys that have gone through rounds
of side-channel attacks, research, and upgrades.

The only one I can generally suggest for most people right now, in spite of it
being closed, is the yubikey 4. Mostly because it can be configured to require
a physical touch for each operation. Something a remote attacker can't do.

I started putting some comparisons down here:
[https://github.com/lrvick/security-token-
docs/blob/master/De...](https://github.com/lrvick/security-token-
docs/blob/master/Devices.md)

------
barking
I'd like some advice about safely accessing gmail from your phone.

In particular an android phone that might not have the latest version of
android on it.

Also for situations where not only do you access your gmail from your phone
but also your google authenticator app is installed on it.

~~~
b15h0p
The recommended way are app passwords. You basically generate a password for
each app that needs to access your mail account. You can easily revoke access
for a single app in case something goes wrong. Also, nobody gets the chance to
read your actual password.

~~~
RJIb8RBYxzAMX9u
Unfortunately, you can't access GMail over its "native" protocol using app-
specific passwords: it'll only work for IMAP. And the GMail client is a
_terrible_ IMAP client. My inbox and folders / labels would constantly desync.
I'd moved to FastMail a while back and the problem persisted, so I'm
reasonably sure it's the client.

I'm actually using Outlook as my e-mail client now. It's surprisingly snappy
for my minimal needs. Maybe I should switch to iCloud for e-mail, and aim for
the trifecta...

~~~
leni536
Did you try K-9 Mail?

------
orbitingpluto
The HyperFIDO Mini (U2F Security Key) is the cheapest and smallest key I've
found so far for $10. (Amazon)

The Yubico are probably the best key chain candidate. No one wants to trust
their key to a weak nylon thread.

You can also set up a Google account to use more than one U2F key.

As for Google 2FA, I think Google caused a lot of confusion by how they set up
the Google Authenticator app. Always opt for the text generator codes instead
of a barcode. You can then use the code to use on a second Google
Authenticator app on another device. Google at one time stated that you could
only set up 2FA on a single device, which makes most users leary as one could
lose his or her phone.

~~~
nsheridan
There's noting stopping you from scanning the barcode multiple times

~~~
orbitingpluto
Didn't it change the web page on your computer browser after you successfully
added it into Google Authenticator?

I suppose you could always take a photo of the QR code and then rescan that.
Text seems simpler.

edit: Anyone else remember this behavior? Old version? Browser specific?

~~~
hdhzy
It changes when you input current code. You can scan it multiple times, print
it, and then input the code from one of your devices.

~~~
captn3m0
Also, if you have a rooted device, you can get the original secret from the
SQLite database of the authenticator app.

~~~
garethadams
"can get the original secret" is a phrase which should worry a security-
conscious person

~~~
lorenzhs
rooting their phone is not something a security-conscious person would do,
either.

Edit: maybe I should have explained my position. There are a few security
issues with rooting a phone, e.g.:

\- rooting usually requires unlocking the bootloader. Once it's unlocked,
anyone can flash or boot a custom recovery and modify your system partition.
Enrolling your own keys in the recovery and re-locking the bootloader, while
possible, is an undocumented and complex process that just about nobody uses,
see
[https://mjg59.dreamwidth.org/31765.html](https://mjg59.dreamwidth.org/31765.html)
. You're also screwed if a system update replaces the recovery. Once the
bootloader is unlocked, anyone with physical access to your phone can mess
with your system in malicious ways.

\- it circumvents the system's permission model. A malicious app that tricks
the user into granting it root rights (maybe for a legitimate reason) could
access information it shouldn't have, install a keylogger, etc.

------
phillc73
The article mentions Yubikey at $18. As an alternative, the Nitrokey U2F is
only €9 (€11 including delivery)

[https://shop.nitrokey.com/shop/product/nitrokey-u2f-5](https://shop.nitrokey.com/shop/product/nitrokey-u2f-5)

~~~
nspassov
Plus, unlike with Yubikey, Nitrokey has open-sourced both hardware and
firmware [1].

[1] [https://github.com/nitrokey](https://github.com/nitrokey)

~~~
phillc73
True for their storage and encryption products. Unfortunately not for their
U2F product. "Nitrokey U2F is a relabeled 3rd party product and hence not open
source."[1]

[1]
[https://shop.nitrokey.com/shop/product/nitrokey-u2f-5](https://shop.nitrokey.com/shop/product/nitrokey-u2f-5)

------
timvdalen
The article states:

>If you're curious why it's important to not have a phone number on your
account, see the security key FAQ.

but this is not explained in the FAQ. I've never heard about this before, why
is this important?

~~~
mavhc
I guess because it's relatively easy to redirect/capture an sms/phone call.
Trick the phone company into moving your number to a new sim for example

~~~
idlewords
Yes. Also governments can see SMS in transit (a concern in many places), and
SMS-es can show up on a lock screen. I'm updating the FAQ next; sorry for this
dangling reference!

------
wxiluo
If you want to use your Google Account on your iPhone's Mail, Calendar, or
Contact apps. Security Key doesn't work with apps that come on your iPhone,
but you can use Google apps instead.[0] I'm using Google Contact on my iPhone.
It seems security key is not for me. :(

[0]:
[https://support.google.com/accounts/answer/6103523](https://support.google.com/accounts/answer/6103523)

~~~
wh313
Have you tried using app specific passwords?

------
ubercow13
Is there any point in doing this if you do not use Chrome?

~~~
hdhzy
Only Chrome supports U2F. Firefox has experimental support of you enable
special flags in about:config but I never got it to work.

U2F will be superseded by Web Authentication [0] that includes U2F and will be
supported by all major browsers. Edge includes draft spec API that uses TPM to
store keys.

[0]: [https://w3c.github.io/webauthn/](https://w3c.github.io/webauthn/)

~~~
cntlzw
You can use U2F in firefox with extension. Last time I tried it worked.
However I use chrome most of the time so I am not sure if it still does.

[https://addons.mozilla.org/en-
Us/firefox/addon/u2f-support-a...](https://addons.mozilla.org/en-
Us/firefox/addon/u2f-support-add-on/)

~~~
idlewords
You should not use Firefox if you want the protection of a U2F key.

------
cntlzw
Bought a U2F Yubikey more than a year ago. It is pretty sturdy. Better buy two
and use one as a backup. U2F is really convenient to use. Compare that to all
the OTP apps out there.

~~~
captn3m0
My Yubikey recently died, so I'd +1 on this approach to have another as
backup. They offered to replace it under warranty, though.

~~~
lrvick
I am very curious what you did to kill it. I have been unable to with anything
short of a hammer or soldering iron.

------
TorKlingberg
How does the communication between the USB key and Google in a browser work?
Will it work on all operating systems and browsers?

~~~
r3bl
As for the operating systems: in order to use it on your phone, you'll need to
be careful to use a YubiKey with NFC support and have a phone that supports
NFC. You won't have any trouble using it on Windows/Ubuntu/macOS.

As for the browsers: Chrome/Chromium works fine. Firefox has an addon that
adds security key support[0]. Unfortunately, this addon has a bug which causes
high CPU load[1]. Firefox is also working on adding the native support for
this, and I think that their ETA is somewhere in the second half of this year
to get this thing to work natively. Unfortunately, even with the U2F addon on
Firefox, you still won't be able to use it for Gmail, since Google hardcoded
its browser to be the only one with U2F support, so you're going to have to
change your user agent in order to use it, or default back to your second
method of 2FA (Google Authenticator or something of the sorts). I have no
knowledge about the U2F status on Safari and Edge.

As far as I was able to discover, the only service that didn't hardcode Chrome
as being the only browser at the moment with U2F support is GitHub, and using
YubiKeys with Firefox + U2F addon on GitHub works without any issues (other
than the occasional high CPU load that I've already mentioned).

I wrote a short article on my blog about Yubikey usefulness for my usual setup
about a year ago[2]. Things changed slightly to the better since then, but not
by a lot.

[0] [https://addons.mozilla.org/en-
US/firefox/addon/u2f-support-a...](https://addons.mozilla.org/en-
US/firefox/addon/u2f-support-add-on/)

[1]
[https://github.com/prefiks/u2f4moz/issues/51](https://github.com/prefiks/u2f4moz/issues/51)

[2] [https://blog.r3bl.me/en/yubikey-review/](https://blog.r3bl.me/en/yubikey-
review/)

~~~
hdhzy
U2F itself as a browser API is a dead-end and will be replaced with newer FIDO
2 WebAuthentication API, but fear not - it's supposed to be compatible with
U2F tokens in use [0].

WebAuthentication will be supported in all major modern browsers [1], it just
takes some time to implement.

[0]:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1065729#c254](https://bugzilla.mozilla.org/show_bug.cgi?id=1065729#c254)

[1]:
[https://www.chromestatus.com/feature/5669923372138496](https://www.chromestatus.com/feature/5669923372138496)

------
angry_octet
The best part of the article:

"If you're on a newer mac, you may have to use a USB adapter, like an animal"

------
probably_wrong
"We'll remove the phone number later"

Too late, Google now has it and can correlate my profile with other sources.
There's literally no other reason why Google doesn't let you enable 2FA
without a phone number.

I wish I didn't have to choose between security and privacy.

~~~
idlewords
There is a more benign reason Google requires a phone number—they're worried
you'll lock yourself out of your account.

I'll take the Pepsi challenge with anyone on Google bashing, but I think this
one is not fair.

It does hold for Facebook, though :-)

