Author Topic: Anyone using YUBICO ?  (Read 2258 times)

Mackin USA

  • Inner Core
  • Hero Member
  • *
  • Posts: 2905
  • Abstract Artist
    • View Profile
Anyone using YUBICO ?
« on: December 19, 2017, 02:11:41 PM »
https://www.yubico.com/

Two-Factor Authentication 2FA
Secure your login to Facebook, Gmail, and other online accounts.
Mr. Mackin

ukgimp

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2241
    • View Profile
Re: Anyone using YUBICO ?
« Reply #1 on: December 19, 2017, 03:44:27 PM »
Bloke in our office has one has his ultimate backup.

He does not use it though

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9255
    • View Profile
Re: Anyone using YUBICO ?
« Reply #2 on: December 19, 2017, 06:21:28 PM »
A friend swears by it. Keeps it on a key fob.

I use Google Authenticator because I can never find my keys and it is possible to put Google Auth on more than one device. I have an old phone that barely powers up, but if I ever needed it to, I could dig it out and get codes off it.

Also, software tokens are much more widely supported than hardware tokens. Not to say that you couldn't use both. You can check your regularly-used sites here:
https://twofactorauth.org/
« Last Edit: December 19, 2017, 06:25:12 PM by ergophobe »

bill

  • Devil's Avocado
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1286
  • Avast!
    • View Profile
    • Email
Re: Anyone using YUBICO ?
« Reply #3 on: January 01, 2018, 12:53:07 AM »
I have a few, but they're limited in use. I also find software authentication to be easier to use in multiple locations. Now that I'm no longer on Windows I find it a bit more difficult to use my YubiKeys. I have the keys hooked up to many Google accounts, but if you don't have the key handy you can always revert to the software authenticator, so I find myself using that more than the hardware key.

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9255
    • View Profile
Re: Anyone using YUBICO ?
« Reply #4 on: January 01, 2018, 04:27:20 PM »
Bill, what do you think of the Lastpass authenticator?

bill

  • Devil's Avocado
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1286
  • Avast!
    • View Profile
    • Email
Re: Anyone using YUBICO ?
« Reply #5 on: January 02, 2018, 02:30:04 PM »
Bill, what do you think of the Lastpass authenticator?

Not really a fan of the idea of putting everything into one app. The LastPass Authenticator also had some security complaints recently https://hackernoon.com/lastpass-authenticator-app-is-not-secure-77b9743c3007

I'd probably recommend Google Authenticator or Authy. Haven't found a good open source app that works across devices yet.

I might use my Yubikey a bit more now that Firefox finally supports it https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/


ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9255
    • View Profile
Re: Anyone using YUBICO ?
« Reply #6 on: January 03, 2018, 05:52:34 AM »
Not really a fan of the idea of putting everything into one app.

That was my main concern. Hadn't heard about the other complaints (but actually saw your tweet just before I saw this post)
Thanks

grnidone

  • Inner Core
  • Hero Member
  • *
  • Posts: 1638
    • Yahoo Instant Messenger - e
    • View Profile
    • Email
Re: Anyone using YUBICO ?
« Reply #7 on: January 03, 2018, 04:30:54 PM »
Can someone explain, for dummies, what this is? 

I don't even know what to google to understand it. 

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9255
    • View Profile
Re: Anyone using YUBICO ?
« Reply #8 on: January 03, 2018, 06:51:34 PM »
It's a form of two-factor authentication (2FA)

With the ones Bill and I mentioned, you have an app that is time-based and synced to another service and it generates a new code every 30 seconds or so. To log into GMail or other sites that support it, you need to have the device which is synced with the account. So basically nobody can do a dictionary attack on your account. Other methods of hacking and social engineering might succeed, but the dictionary attack is off the table. Even if someone gets my Google username and password, they can't access the account.

The Yubikey is similar, but it's a small USB chip that goes into your USB port (or communicates to your phone in some setups) and typically needs to be touched to send the second factor to the account.

The most common 2FA is an SMS message. The SMS system is fairly vulnerable, but the main reason it's not a preferred system for me is that I am almost always in places with no cell phone reception (notably, my home).

My workaround for places that only offer SMS (my registrar for instance) is a Google Voice number that they can send texts to, but obviously that's not a good way to protect your Google account.

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9255
    • View Profile
Re: Anyone using YUBICO ?
« Reply #9 on: January 03, 2018, 06:56:18 PM »
PS... if you're not using 2FA, you should enable it as a minimum on

- your email
- your registrar
- your bank
- your hosting accounts if they manage your email in any way
- your DNS service if different from your registrar

I've had people say "My email isn't really that important. There's nothing compromising there." The problem is that you are probably using it as the password recovery method for other sites (bank, Amazon, other places with your credit card info). If they have your email account, they also have every single account that uses it for password reset.

The same is true for your registrar if your email is using your own domain. They just change your MX record and now they get your emails.