I already use a password generator (lastpass) to ensure I never log into different sites using the same password, and to ensure they are unguessable.
but the realisation that security has got a whole lot harder over the last couple of years has me looking at Ubikey.
https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
Generally I don't log on anywhere with my phone, sdo perhaps I dont need the Neo, but it seems like a good idea, until you loose it. I could get 3, one for each of the family, and have them interchangeable, (you can attach 5 to each lastpass account) but does it really help?
If someone want to get into my stuff, they will nick it, and key log my password or something.
There is always a way.
So am I being paranoid or is it a good idea?
My issue with 2-factor has always been that I'm usually in places with no cell coverage and many schemes use SMS to send codes which left me with worries of having to drive an hour at 2am to get cell coverage to get access to my computer to deal with... a server crash, a security breach, a need to make an emergency post to Facebook about my midnight snack choice, whatever.
So Yubikey has always been attractive, but there are a couple of things I'm not excited about.
1) It's a physical thing I can lose. I'm not very organized, so that scares me.
2) When I travel, I tend to keep my home keys in my laptop case. If the Yubikey is on my key ring, the person now has both items. They're less likely to have my phone and laptop than my keys and laptop. I assume Yubikey has a way to revoke access from a given key, but then I lose access unless I have a copy of the key and I will not be traveling with the key.
So I settled on Google Authenticator. The app runs on my phone, so the attacker has to have my laptop, my phone, my username and my password. But if I lose the phone, I simply need to grab access to any computer, use my backup codes in my wallet, log in to my account and de-authorize any lost devices. At that point it's just a race. If the attacker cracks the phone password and gets into my accounts and takes control of my email account it's game over. At that point he has control of every password reset and most banks still don't offer 2-factor.
I knew someone here would have studied it. :)
Interesting. I just kinda want to move away from Google. They have too much already.
with my phone I cannot help thinknig it will crash, the battery will be flat, or it will be stolen. A yubikey generally will stay in my pc, unless I am away from it, and I take they key with me.
so from that side it works. there is a chap on ebay selling 4 for about £25 (plus £20 delivery to the UK) but they are old firmware... not sure if thats a problem or not.
A friend got me a FIDO Yubikey for my birthday. It only really works with Google accounts, and I have a ton of those. So I added the key to all my Google accounts, but found it only works with the Google Chrome browser, and not any of the Chromium variants. The handy thing is that if you don't have that browser the Google accounts step back to the Google Authenticator for 2FA. So I just leave the key at home and authenticate via the Authenticator app on my phone and other devices.
The keys are small enough to slip into your wallet. I'm considering getting the NEO model that has NFC and a lot more functionality as I figured out that even if you lose the physical key you can generally use another form of 2FA to get into your accounts.
My biggest problem is that I can't store my PGP keys in the current Yubikeys because they only take 2048-bit keys and I use 4096-bit and 8192-bit keys. So either I have to wait for better adoption of ECC in OpenPGP or hardware support for larger PGP keys from Yubico.
I would not buy a Yubikey from anyone but Yubikey.
Anyway, as per Bill, if you want broad support for many protocols, you need the NEO
https://www.yubico.com/products/yubikey-hardware/
>>I just kinda want to move away from Google
Google has almost nothing with this. They probably know which device you're using, but I'm not even sure of that (they definitely do if you're using it with a Google account, but I'm talking about the LastPass use case).
For example, if you want multiple phones to authenticate the same account, you can't do it after the fact because Google doesn't know the salt that it's adding to the timestamp. You have to de-authorize all devices, generate a new QR code (which passes the salt to the authenticator app) and then authenticate all devices at once.
>>with my phone I cannot help thinknig it will crash, the battery will be flat, or it will be stolen
This was a major concern for me too - quite often I don't know where my phone is. I have no cell reception at home or many of the places I frequent. I have not traditionally carried my phone with me when I leave the house. So two things
1. If you have someone you trust (i.e your spouse), you can authenticate two phones to work with Google Authenticator. The trick is, as I mentioned above, that you have to do them both at the same time using the same QR code.
2. You can generate a set of backup one-time use codes with Google accounts. With LastPass you can have it send a msg to your security email. For the best security you make this email something other than your account email (again, a spouse's work email might work or just something that you use for no other purpose rupert.key.recovery@yahoo.com or something.
https://lastpass.com/support.php?cmd=showfaq&id=7066&questiondefault=disable
https://lastpass.com/support.php?cmd=showfaq&id=2465
3. You can designate a trusted computer. This stores an encrypted ID on your hard drive and will allow this computer to bypass multi-factor, so this is another backup if you have a computer that you think will be secure. Personally, I am not so worried about theft, so I would be comfortable designating a laptop as trusted. The thief will still only have one factor (the secure ID) and will have to crack the password. So I think of the password as blocking people who steal the physical item and the second factor that requires possession of a physical device as stopping remote attacks. If you happen to let the physical device fall into the hands of a competent hacker, you're screwed. But you could of course designate an old laptop that you keep in a safe within a safe in your underground lair.
https://lastpass.com/support.php?cmd=showfaq&id=1826
PS the funny thing is that I Tweet about once a month and I tweeted yesterday about setting up multiple devices with Google Authenticator.
UPDATE - found this which solves the following problems
- adding new devices
- remote reset in event of losing device
- authenticator itself can be protected by a PIN so if you lose your phone, they have to access your phone, enter your PIN and guess your password.
https://www.authy.com/
http://lifehacker.com/the-best-two-factor-authentication-app-for-android-1638791349
Unfortunately, my old Android phone is too old to run it, but it might work for you (Android, iOS)
And a bot more... on 2-factor vulnerabilities
http://shubh.am/how-i-bypassed-2-factor-authentication-on-google-yahoo-linkedin-and-many-others/
I was happily using Authy until I read this: http://www.theregister.co.uk/2015/03/16/auth_bypass/ and this http://www.theverge.com/a/anatomy-of-a-hack which details how someone bypassed the 2FA precautions of someone who appears to have taken most of the basic steps to secure their accounts...except using a mail.com address.
Oh sigh.... is there no safe harbor in a storm?
Realistically, though
- you are making it harder, but you will never make it impossible
- I believe those sync and reset options for Authy are optional.
The old conundrum - increased security almost always means decreased convenience.
PS - I am, by the way, a LastPass user on your recommendation Bill after previously being a Roboform user (and decided I didn't like it for some reason). Just to let you know, some of your recommendations have been appreciated ;-)
[For the benefit of others, Bill and I blame each other for a couple of minor disasters that have befallen us, though I believe it is fair to say that neither of us takes responsibility for the disasters of the other; and really, when it gets right down to it, I borked my own damn computer and Bill broke his own damn arm]
heh heh
Yeah, LM is probably thrilled about your influence on me re: hosting, which landed him here.
Good thing you took me up on that LastPass suggestion. ;)
You can really lock down your account by limiting logins by geographic region and adding a number of 2FA options, among which I think the YubiKey might be one of the better options.
That Anatomy of a Hack article on the Verge that I referenced above was a bit of a wake-up call. I hadn't realized 2FA could be sidestepped so easily. The recommendation is to use the more secure Google Authenticator, which will only work on one device. You could work around the single device limitation by putting screen-shots of the 2FA QR code for each account into a LastPass note for each account. You would then need to manually update your Google Authenticator app on each device. It's a real PITA compared to the Authy solution though.