Yubikey Ramble

Introduction

Personally, I am a huge fan of hardware security keys. It started off with looking for a 2FA method that did not involve my phone, and hence to use FIDO2 (or U2F back then). Simplified, FIDO2 is the standard that is used to to authenticate yourself to a service. One can use it instead of a password (e.g. Outlook has the option for that) or as a second or multi-factor authentication. The theory states that there are 3 ways in which you can authenticate yourself:

• What you have (in this case a hardware key)
• What you know (in this case a PIN or password)
• What you are (e.g. biometrics which could come with the Yubikey Bio)

In this post, I will try to roughly explain my experiences with the Yubikey, referencing some guides I used myself.

Two-Factor Authentication

As mentioned, the reason for me to buy a yubikey was to use 2FA while not being dependent on my phone. That, the curiosity of how it works, and my desire to spend money on tech…

I bought a single Yubikey 5 NFC to test it out. Initially, the only way (and back in 2018 a pretty new way) was using U2F. Slowly services were adopting the standard and allowing you to use the standard for logging in with a second factor. Setting this up is really simple. Just login into your service and find the option to register a second factor. Be warned that many services want you to register a TOTP device first. Back then, the only real way was to use your phone and applications such as Google Authenticator. But wait… we wanted to avoid the use of phones. Well, while you may have the TOTP codes on your phone, you did not need to use it if you registered your Yubikey. My Google Authenticator app was sad, I was not 100% satisfied, but it worked for now. My main reason for dissatisfaction was that my phone could still be used to login. What if someone hacked my phone. With the recent news of Pegasus, this does not seem too far fetched, even with iPhones…

Many people will recommend to also have a backup Yubikey (including me). However, if you have your phone with TOTP codes, a backup becomes a bit more unnecessary in my opinion. What are the chances of your Yubikey and phone breaking at the same time? Most services also issue recovery codes that you can also use in case of emergency.

I was quite okay with the solution until Yubico (the company behind Yubikey’s and my personal hero’s) announced the Yubico Authenticator app. Remember those TOTP codes which are saved on your phone ? It turns out that those codes (or seeds) can also be stored on a Yubikey itself and read out with the Yubico Authenticator application. What is even cooler is that the application could be installed on a normal PC. When I read this, I was super excited for the release. Apple by then also opened up their NFC interface for iPhones meaning that you can also read the codes from the Yubikey with NFC enabled and thus everything was perfect… Until I realized that I would have a problem if my Yubikey breaks. Here, it does indeed make sense to have 2 Yubikey’s for TOTP. While recovery codes are issued by most services, I did not want to rely on them. Hence, while the application was available and even installed on my phone I did not really use it. I had plans to buy another Yubikey 5 NFC, but I put those on ice when the announcement of the Yubikey 5C NFC hit. Since I wanted to future-proof, and believe in USB-C (and also I am eyeing for a Macbook) I decided to wait until the 5C released and build my ultimate setup with them. Then the pandemic hit and while no release date was announced, it felt like ages until the 5C released, with me checking daily on any news.

Finally, in October/November I held two Yubikey 5C NFC in my hands and was ready for the setup. Most services using TOTP were migrated from Google Authenticator to the Yubico Authenticator app. One can simply scan the QR code presented twice with the Yubico Authenticator app on your phone and hold the keys on your phone in turns. Then both keys should have the codes available to be read out. After the big migration, I left my key backup key in a secure location. New services with TOTP will first be using Google Authenticator until I find the time to register them with my main Yubikey and my backup. As a convenience, I try to enable FIDO2 on my main yubikey for services as it is quite convenient to use. TOTP is still largely needed as not all services / devices support FIDO2 or have USB-C. While there is a limit for TOTP codes, I did not personally hit it yet, so the idea of having both FIDO2 and TOTP for added convenience does work. My dreams were fulfilled, and order was restored.

Pretty Good Privacy

Naturally, as a Cyber security student I like safe technologies. I try to enable two-factor authentication whenever I can and use SSH. However, one thing that I never got around was using PGP. There was some kind of internal barrier and not really seeing a use-case for myself. That changed, when a friend introduced me to using Yubikey’s with PGP. While I knew this was possible, I decided to try it out once I get my new Yubikeys. There are various posts on the internet that I tried for this one:

• https://github.com/drduh/YubiKey-Guide
• https://www.tyil.nl/post/2018/09/04/setting-up-pgp-with-a-yubikey/ (personally my favorite)

While the second guide is for a Yubikey 4, most things still hold. A few tips:

• Make sure to install pcsc-lite. For me on Manjaro, it is available on the pamac store. You do have to enable the service using e.g. systemctl enable pcscd.service
• The following configuration was added to .bashrc:

export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

• Make sure to keep a copy of your own public key. The guide makes you store your private key on an encrypted USB, which is perfectly fine. However, I did not find a way to get the public key from the yubikey itself. One way is to restore the backup from the encrypted USB and import it from there. A bit of a hassle… So make sure to store the public key in a safe space.
• Make sure to plan roughly 2-4 hours of work depending on your knowledge of the topic. My first setup took 4 hours with finding a USB to encrypt. This allows me to use PGP, and e.g. sign my git commits or encrypt my messages. My main use case for PGP signing my git commits. More importantly, GPG provides an authentication key that can be used instead of an SSH key. That means, I can use my Yubikey to ssh into wherever I want to. The public SSH key can be found using: ssh-add -L. Make sure to remember the PIN that you set as you will need it for most operations.

In my opinion, there is a certain satisfaction when you do ssh [email protected] with your Yubikey inserted and are greeted with your username. But that may just be me…

Outlook:

There is not really a lot I would change with the current setup. I have a spare Yubikey 5 NFC lying around which I may use to experiment a bit. The Challenge-Response mode can be used e.g. with a KeePass(XC) database. Furthermore, I learned that full-disk encryption can be done with said Challenge-Response mode. However, I imagine this to be not so convenient. I will try it out one day though.

Lastly, the Yubikey Bio is on the horizon, offering to use your fingerprint instead of a PIN. Depending on the price and reviews, this may be nice to try out as well. Until then, I am finally happy with my setup.