I have a Yubikey, but almost never use it. I still don't get it fully, don't have a use-case where it totally works for me. Having one key is maybe part of the problem. If I lose it, what then?
Some people will tell you to buy two Yubikeys and leave one as a backup. I don't think that's necessary. No matter what, you should generate a backup software key and keep it on offline encrypted storage; if you lose the token, just use the backup key until your replacement arrives.
It's even easier for Github and Google Mail. For web services, the right stack is:
* Hardware U2F token
* Backup software TOTP (Duo or Google Authenticator or whatever)
* Backup printed (or saved on offline USB key) passcodes
* Disabled SMS.
Unlike SMS, which is devastating to security even as a fallback, having a software TOTP option is basically fine; most of what U2F buys you is unphishability. This leaves you with two levels of backup, one of which is reasonably secure indefinitely.
Isn't disabled SMS overkill for most casual thread models? As I understand it SMS would require someone to MITM the telecom network OR snoop the local antenna when you receive it on your phone. Which is a danger if you expect, like, nation-state adversaries.
But if I'm, say, protecting my GitHub account against Russian mafia hackers, that still seems perfectly fine?
The bigger problem for SMS-based 2FA are social engineering attacks on the support personnel of mobile network operators. They typically don't have fancy authentication schemes - it's fairly easy to get them to redirect messages to a different SIM or something like that.
I can't speak to current day, but in the past it's been very easy to social engineer telecoms. So especially for high value accounts this shouldn't be used.
Can you disable SMS on google? I've tried and have been unsuccessful. Phone is required to enable 2FA. Once that is enabled, I can add yubikeys. After adding yubikeys, I am unable to remove phone as a 2FA alternative.
It's possible to disable SMS-based 2FA. Perhaps you need another backup option before you're allowed to remove the SMS option. In my case, I was able to do it with two U2F keys, TOTP and backup codes enabled.
You might need to remove it as an account recovery number as well. Those can effectively downgrade your login to one factor.
>you need another backup option before you're allowed to remove the SMS option.
This was the answer. Google prompt isn't allowed with hardware tokens. Backup codes evidently don't count. So the only way is to set up Google Authenticator on a phone. Authenticator from f-droid works. After I set up Authenticator, I no longer got the "Something went wrong. Try again" toast when trying to delete the sms number.
Edit: Just realized what Yubico Authenticator is for :)
When I first got mine, I was the same way. I learned different bits in steps. First was yubikey-luks for full disk encryption. Then using my ssh key on it. Then GPG key on it. Then using GPG key for password storage with QTPass, OpenKeychain/Android Password Store. Then 2FA with gmail. I'm getting a lot more use out of mine more than a year after originally getting it.
For the ssh key, are you using your yubikey on multiple computers or just one? I just started looking at this but it seems like there is a bit of setup needed for each computer. I guess it might be worth it but would be interested to hear about others experiences.
It's very easy to setup on linux, but does require a fair bit of setup to get it to work with windows. I haven't set it up on OS X but I expect it to be about as easy as linux.
I've been SSH w/ yubikey key only for about 6 months now and haven't had any issues with it. I regularly move between multiple computers. Once I set it up on one computer I've never had it take more than 15 minutes to get up and running on any computer I've need it on (window or linux).
The only thing I'm really missing is the ability to log into my server from my phone. There was some talk of getting ConnectBot and Open-Keychain talking to each other to get this working but it appears to be stalled.
Yeah, it does require some setup on the ssh client machine. So far, I only set up my home laptop with it. It's probably not hard on the work machine, but different OS so I haven't tried.
I'm in the same boat and actually submitted an "Ask HN" awhile back to see what others were doing (https://news.ycombinator.com/item?id=13567209). I have the plain ol' yubikey and also the NFC yubikey but I haven't found a good, real world use case for them. It might be that I'm just not the target market or that I haven't put enough time/effort into it. For me the big selling point was the FIDO stuff but so few providers seem to use that...
Check out some of my last answers in this thread. I use it for:
U2F (Google, Dropbox, Facebook, Github, Bitbucket), TOTP (Slack and everybody else that does not support U2F), Yubikey OTP (LastPass), static password for luks decryption (additionally to normal password), GPG Smartcard
The only feature Im not yet using is the PIV SSH stuff.
I also just like hitting the button and printing out OTPs when Im boarded.
I was pretty paranoid about moving to 2FA for my personal account due to fears about getting locked out, but finally decided to take the plunge when I got a yubi for my work & realized I could also add my personal account to it. The nice thing about the Yubi is that decreases the chances you'll be locked out, because (if you're using it for a Google account, then) you still have a phone app, like Google Authenticator, that you can use to authenticate. And you've still got backup codes. And I also have two keys.
