Nowadays, it is difficult to count the services we have accounts on. They leak regularly and we often hear even the biggest companies are hit by severe security incidents. Big dumps of databases with unsalted password hashes go public a few times a year. We cannot prevent those incidents from happening in any way but we can mitigate risks connected to those leaks. The first wise thing to do is to use the password manager. A rule of thumb is to use unique and strong passwords per site. If a password leaks from a particular website, we are still safe as it cannot be reused anywhere else. We shall remember only the master password to the manager, that’s all. All other passwords shall be automatically filled in by the app itself. This solution is better than reusing passwords or having some generation scheme (which can be simply understood if a couple of passwords leak). Still, what happens if the password manager gets compromised itself or our device (like a mobile phone) is stolen and the thief will be able somehow to access it? A password manager alone is still a solution far from perfect, therefore we shall enable second-factor authentication (2FA) wherever possible. Even if someone gets our password to the secured service, he or she will not be able to log in without an additional device.
One remark about strong passwords. I have seen a few of my accounts hacked (mostly from Russia, China, and Brazil) that were secured only by a password. Passwords were different, about 10-letters long, with special chars and digits. Therefore I think it is wise to use much longer, fully generated passwords with lots of special characters. Also, never trust a site that does not offer a 2FA.
More and more sites allow to turn on second-factor authentication and that is just awesome! There are a bunch of options possible for us to authenticate us - like SMS, automatic phone calls, dedicated apps with push messages, hardware tokens, U2F keys, or just Time-based One-time Password (TOTP) apps (like Google Authenticator). The most commonly used are SMS and one time passwords. U2F is unfortunately supported only by those “big guys” (Google, Fb, Twitter, GitHub, etc.), but the number of services like that slowly increases.
U2F key - what is that?
I have used a password manager + Google Authenticator app combo for years. It was a Google Authenticator “on steroids” - I could sync the encrypted database with the Cloud so I was safe to format my phone anytime. This solution worked well but still, I had some concerns:
- Both the password manager and the authenticator resided on the same device. What if the device (especially mobile phone) gets hacked or lost/stolen?
- Both apps synced their databases to a cloud. What if the cloud gets compromised?
- What if somebody tampers with the binary downloaded to my phone? The authenticator app has internet access granted so the data may leave my phone unattended.
For the above reasons, this solution was not ideal. I have heard lots of good opinions about U2F keys but hesitated to buy that for years (!), until I tried them in a “corporate world”. Eventually, I bought one (two actually) and I will never regret that, even if - as with every solution - it is still not perfect. Anyway, I can recommend that to everyone, far more than having a dedicated app. I will explain why.
My little hero
But how U2F key works, actually? In simple words, you need to register this key in a service (like GitHub) and the next time, instead of codes from the Authenticator app or SMS, you need to insert the key to USB and touch it. That’s all! Apart from being just simple, it gives other advantages:
- The URL of the service has to match the URL registered in the key. Even if someone hacks a DNS and directs you to the wrong page, you will be safe as the key will not work.
- No need to wait for SMS or play with additional apps.
- The key is a physical thing. Someone would need to steal it from you. One time keys can be hijacked, especially when using SMS.
- Even if someone steals the key, he will not be able to get anything out (like certificates, etc.) from the key.
U2F is available for Google services, Twitter, Fb, GitHub, and other “important” websites like them. Most of the sites end up with SMS or TOTP based second-factor authentication, though. The U2F adoption is pretty slow, unfortunately. This is somehow understandable from the business reasons - most users even do not use 2FA, not to mention buying dedicated keys for U2F.
For the above reason, I have decided to buy YubiKey 5 NFC as it supports not only the U2F but also TOTP. Furthermore, it can also use OpenPGP just to encrypt regular files. I spent about 250PLN on the key some time ago. Pretty much if you would like to have an additional one as a backup (and this is advisable). Yet, not that much considering it as a purchase for a longer time. There are still cheaper Yubico keys (like blue Security Key Series) but they support only U2F. Still, good enough as a backup. They are also other manufacturers to consider (like Google).
Why do I enjoy having that key so much?
- I have added the key to all those “important” portals - it is way quicker to log in now. Safety is an additional benefit.
- I could completely forget about all previous Google Authenticator-like apps. There is another one from Yubico for TOTP, available also for Linux. The cool thing is it does not store anything on the device. Just touch the phone with the key (NFC) when the app is open - all keys will appear immediately. Alternatively, use the USB port. No more hassle with the restoration of settings after a phone format.
- I have configured the key to store PGP certs. Now, the key can encrypt/decrypt files. Pretty cool to do that before uploading something more sensitive to the cloud. Insert a key, issue a command, done.
- The key can also store the desired password and enter it once long-pressed.
I guess there are also other possibilities I have not mentioned here. If you know any - please let me know in the comment. Overall, increased security and simplicity thanks to this little device!
Of course, there are some disadvantages, too:
- Authenticator apps are for free
- Good to have another key as a backup. Of course, we can print the recovery codes, so having two keys is not that important I think.
- A limited number of slots for TOTP - 32 as far as I can remember. I think the limit can be reached pretty quickly, at least I am going to reach it soon.
Despite these disadvantages, the U2F key is a must have for a person that would like to either tighten the security of accounts or just simplify the 2FA.
Two pretty well-known links, good to check periodically:
- twofactorauth.org - check sites that support 2FA
- dongleauth.info - check sites that support U2F
- haveibeenpwned.com - check if your email/password leaked somewhere
Keys in action
- YubiKey 5 NFC - more expensive but offers more - U2F, TOTP, PGP and so on
- Security Key - cheaper but only for U2F