[kwlug-disc] Yubi key

Chris Irwin chris at chrisirwin.ca
Mon Feb 7 11:44:46 EST 2022 

On Mon, Feb 7, 2022, at 10:23, Darren Pond wrote:
> The Yubi key appears to be an affordable option to regain  control from Google dependant Ga 2fa.

Using TOTP codes does not make you dependant on Google, and there are better apps than Google Authenticator. Note that Google likes to steer you towards Google Authenticator (and Microsoft likes to steer you toward Microsoft Authenticator). But they're both just TOTP apps, and you can use a plethora of other, trusted options instead to generate codes (AndOTP being my preference).

> Any one currently using the yubi 5 nf key. For purpose of android cell phone and kde linux cpu 2fa control. 
> 
> Do you use 2 one daily and second one off-site. Or simple record the " seed key" as backup option when the yubi goes missing or gets lost. Which in my world will happen at least once.

Talking about seed keys and yubikeys (at least in a u2f context) at the same time is confusing. TOTP codes have seeds, u2f tokens don't.

For backing up TOTP codes from used with an app, there are several options. One of my friends screenshots the QR codes and sticks those in keepass, a coworker writes down the seed manually. You can put the seed into keepass and have it generate codes as well. Personally, I put all my codes in AndOTP and just make a backup whenever I make a change. If I need to seeds, I can read them from the backup (or look at them in AndOTP).

Yubikeys, when used as a u2f or fido2 token, can *not* be backed up. You lose it, you lose it. There is no recovery. So you need to have at least one spare token pre-registered as well (and preferably not have it in the same place as your primary token). Alternatively, you need an alternate recovery method (pre-generated recovery OTP codes, for example).

Keep in mind that if you're interested in using a u2f token (or TOTP codes) for the security they provide, you probably don't want to leave less secure recovery options available (ex: "SMS" or "answers to questions easily obtained from facebook").

Note that yubikeys also support their own HOTP method, which might be able to be backed up (not positive on this, because there's a state involved in this mode). However, I'd use TOTP codes in an app instead of a yubikey in HOTP mode, personally. HOTP is really a legacy solution, and u2f is better in every way.

> Do you use the yubi app/program on your linux cpu? Did it install as expected?

Their software is not required to use the token at all. It just works.

Plug it in, go to a website that uses u2f/webauthn, and click register token. Token starts blinking. Touch token, and you're done.

When you log in to that site, your browser will prompt you to touch your token, it blinks, and you touch it. It's pretty seamless.

You can insert your token when prompted or leave it in all the time. Personally, I have the "nano" token that I leave plugged in all the time. I've had more trouble with SD cards than I have with yubikeys... in Linux.

Note that if you want to use a yubikey with Windows, you need one that supports FIDO2 (yubikey 5 or newer). The older ones work fine in Linux and used to work fine in windows, but an update a few years ago (2019?) "added support" for fido2 tokens, and it seems anything that isn't fido2-capable is rejected now, even if you're only using it as a u2f token. I have a few older yubikey 4 (?) tokens that work fine in linux, but now don't work with windows. I don't use windows for anything important, so there's little actual impact for me.

Yubikeys also support an older HOTP mode out of the box. It emulates a keyboard and types a hash every time you tap it. One of the reasons I disable and don't use that mode (it doesn't conflict with u2f or fido modes, but it's annoying).

As I said, their software isn't required to use the token, but it is required if you want to disable the HOTP mode, set a FIDO PIN (ex: to put an SSH key on your token), etc. Their software is available in both GUI and CLI form, is BSD licensed, and packaged in Fedora.

-- 
*Chris Irwin*

email:   chris at chrisirwin.ca
  web: https://chrisirwin.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20220207/2b9f074b/attachment.htm>

More information about the kwlug-disc mailing list