Getting the most out of YubiKeys for your business

I use my YubiKey to store a full set of subkeys while keeping my primary key offline on paper. No secret keys are ever written to disk. I boot a live Linux system and restore my primary key when I need to generate new subkeys or sign other people's keys.

Same use case here. While setting up the yubikey with the gpgkeys is a long process it's totally worth it in my opinion.

What kind of baackup do you have in case the yubikey is borked/lost/stolen?

Oh yeah good point, I always forget about the OATH part of the YubiKeys - unfortunately it's like the OTP feature in that I haven't had enterprise customers asking me about it at all (they're all hyped about U2F), so I start to forget its there.

I'll have to add it in to the article :)

You leave the Yubikey in your computer, at least for the duration of your session, so you're just moving your hand a couple of inches to tap it. Contrast with fishing out an entirely different device, waiting for the push to arrive or navigating to the Duo app, etc. Push 2FA is also subject to the vagaries of your phone's current network connection and its latency.

For the specific combination of Macs with Touchbar and U2F and Chrome, you can already get this experience with onboard hardware. I expect most client devices will converge on having some kind of hardware-backed U2F credential built in. But Yubikey is more general right now. OTP is easy to implement and eminently compatible; it just presents as a keyboard and sends keystrokes. HMAC is great for not just authenticating but signing specific transactions. The GPG applet is just another GPG key, and the PIV applet is just another X.509 cert, so a number of applications can be upgraded to hardware-backed credentials with little or no change.

It depends on the context really - I love the push-driven MFA products, but they specifically require you as a user to be carrying a phone with you at all times, and are usually considered "low" assurance of the user's identity.

If your business is seeking "higher" assurance (yes, assurance levels are very subjective) then certificate-based MFA can meet the needs better. Or, if your business is working with sensitive data/systems, phones may be banned from the office (e.g. military, intelligence, banks, etc.).

You can MITM OTP, but you can't MITM U2F. You can copy/steal the OTP secret from a phone app, but you can't copy/steal the U2F private key from a Yubikey (easily).

I think the intuition is that it is supposed to be like a key. People generally do a pretty good job securing their keys. In addition, it is easy to have a backup key stored somewhere safe.

One nice thing about Yubikey instead of phone, is that since it only does one thing, you are far less likely to need to upgrade it. In the past, I have lost a 2 factor on my phone when upgrading since it is not backed up.

I don't like taking my phone out while I work, since this is often a source of distractions. I also have to worry about keeping it charged and on me (it is much larger than the yubikey). I have to keep the authentication app, which is often proprietary, installed and up to date. I have to worry about retaining access if I lose, break, or want to upgrade my phone. I have to apply a different security model to my phone. I have to trust a third party (duo), and rely on their push notification infrastructure. There is an additional delay while I wait for the push notification.

There is something I intrinsically like about pressing a hardware button.

These are all relatively minor things, but they add up to a strong preference for the yubikey (I've used the simple blue u2f key with a button).

After reflecting on this list, I think the security model is probably the biggest one. In more colloquial terms: I'm already used to keeping track of my keys with a certain amount of care. A yubikey does not require me to adjust my habits; it's just another key.

TouchID on macs are another reasonable option.

My employer uses Duo, which supports phone push, yubikeys, or webauthn/touchID in chrome.

I almost always use touch ID. I do have a yubikey and phone push as a backup, but I really want to minimize using my personal device for work (and don't want to carry two phones).

A yubikey is much less obnoxious to carry around than an extra phone.

Well that is kind of the the point of multi-factor authentication.

* Something you know (your username/password).

* Something you have. The Yubikey or other hardware token.

If you lose your Yubikey, by itself it should not allow access to anything. I keep mine on my keyring with my keys, which I haven't lost yet.

in california, if your employer requires you to have a phone for 2FA or other purposes, they must reimburse you at least partially. yubikeys are cheaper.

as to being clunky, it’s because your employer doesn’t care about it, so you have the clunky (and much cheaper) yubikeys.

lack of verification of who is using it is simply not an important part of the threat model.

You should have to enter a pin to unlock the yubikey and if you fail so many times it can be locked forever.

How were you integrating them on your personal OSX system?

Yes, I use one daily and haven't had any issues.

The fingerprint reader on my Thinkpad X1 Carbon (gen 7) can work as a FIDO device. I just re-tested it on https://webauthn.io/ with Firefox in Windows 10. I'm guessing other fingerprint readers will too. You need to know that it will be considered a "Platform" device rather than a "Cross platform" device, which is what YubiKeys are considered.

Related but not answering your question: I haven't found any major website that support Platform FIDO devices. I'm guessing they only want 2FA devices which can roam between computers. I think that's unfortunate. Perhaps a good policy would be to allow Platform devices to be used after a Cross Platform device has been registered first. But there are few websites that support multiple FIDO keys to begin with.

How nice would it be to log into websites with your builtin fingerprint reader? The client side stuff seems ready to go.

It’s worth noting that for “SSH certificates”, the leaf certs are not x509-based, and that you can’t put a CA-signed SSH user key onto a yubikey.

When yubikeys are used for SSH auth (either in GPG or PIV mode), they’re using the raw private key (either via GPG-agent or opensc, generally). The SSH client/server doesn’t get context about the identity, its trust relationships, etc.

This limits usage to trusting individual keys, rather than being able to trust “all keys signed by the CA”.

I've personally never seen it work that way - usually because RDP doesn't pass through direct USB devices, only their abstracted forms (e.g. smartcards don't get passed through, only the "Smart Card" device registered in the OS, and only if you enable that to be passed through in an mstsc session.

There are products like Silverfort (https://www.silverfort.com/) that can handle agentless auth, and might be able to do that kind of MFA inside an RDP session. But, products like this usually require some 3rd device (i.e. your phone) to perform the MFA action, which is kind of not really just a simple WebAuthn logon...

It's kind of a pain, but possible. You have to redirect it as a generic USB device. I wrote a guide here:

https://queensidecastle.com/guides/use-a-yubikey-remotely-ov...

There are a few competitors: Google Titan, Thetis come to mind plus traditional smartcards. Some of the competitors only support FIDO/U2F, meaning that a number of applications like LastPass that support OTP or Smartcard won't work (if you're interested Yubikey's Security Key only supports those two protocols and only costs $20). Yubikey's build quality tends to be superior and they've got a nice plug and play UX. For many IT departments, it's easy to justify an extra $5-$10 a unit if there is minimal support needed and it's unlikely to need to be replaced due to breakage (lost devices yes, breakage no). Anecdotally I've got an older generation yubikey that appears to still work after 6-7 years

Yeah Nitrokeys are probably the closest device, but cost even more https://www.nitrokey.com/

And usually it's twice what they charge, because you need a backup device to handle losing the first one.

I'd like to see a competitor come out with a combo PIV card & FIDO device. At least from the enterprise perspective it would cover 99.9% of MFA situations. And the majority of my personal uses of YubiKeys.

Assurance that you’re getting the right $5 device is tricky—when the factory has so many incentives to do otherwise.

Yubikey is the competition, before they turned up the equivalent devices were vastly more expensive and less functional.

It is a fairly niche (although growing) market, and you also don't want to buy the cheapest product in the space as it might not work securely.

It is probably more pricing of different products in their selection. If you just need U2F you can get their security keys [0] for 20$. 18$ if you order 50, and probably even cheaper if you ask for > 1000 (i.e. an entreprise customer).

And 5$ manufacturing for 20$ resale is pretty much a standard ratio in consumer goods. I would also argue that a competitor would have a hard time making those at only 5$, making it harder to compete based on price alone.

[0] https://www.yubico.com/product/security-key-by-yubico

Adding to the list of alternatives: https://solokeys.com/ Open source hardware

I suspect YubiKey doesn't face price competition from the cheap AliExpress USB flash drive manufacturers because a U2F token from a no-name supplier isn't much better than a mobile app.

Hi! I'm actually the product manager for the product mentioned in that article: https://enterprise.signata.net.

Are you heavily SaaS based for the tools you use in your startup, or do you have some on-prem infrastructure? That'll kind of dictate which path you should go down for provisioning the keys to your users. Our product will be perfect if you're using AD & a Microsoft CA internally (or are willing to set one up), as you could then just set up 3 YubiKeys for each employee, all loaded with certificates for authentication.

And, should one be stolen or an employee leaves, just revoke the certificates on it to kill the access immediately.

Any path you go down should really still only take a bit of time upfront and almost nothing longer term, unless your team grows fast.

You can also hit me up at [email protected] and I can give you more advice if you don't want to mention specifics publicly.

Just because you're allowed to do OTP backup doesn't require you to switch it on. If you have two FIDO keys that's fine.

What isn't fine is one FIDO key and no other backup. The good ones aren't fragile, but you can still easily lose them.

If there's a site you use on the phone too, newer Android devices which know how to keep a secret (e.g. a Pixel) can do WebAuthn for themselves and be that second option for you.

The major advantage of u2f is phishing resistance.

If you always use u2f for auth, you can be sure that you are not fooled by fake login pages. It ain't just matter whether secondary otp is available. (it's just a backup for when you lost a hardware token!)