Hardware security keys - Educate me
I’ve read a little on using Yubikeys for 2fa but not sure I have a total grasp on how it all works nor have I purchased one yet.
If you setup an account to use Yubikey for 2fa does that mean you have to always have the key to access the account? If not and you still have other 2fa methods for fallback what is really the point?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@more_cowbell You can use a YubiKey in a number of different ways, but the following are the most popular:
- With Yubico Authenticator to store Time-based One Time Passcode (TOTP) tokens. This will perform 2FA in the same way as any other authenticator app. Just the tokens are stored in the YubiKey rather than your phone.
- With the U2F protocol as 2FA; you touch the YubiKey to login. This protects you from "man in the middle" attacks because the website can validate the YubiKey and the browser can validate the website without any secrets being passed over the internet.
- With the FIDO2 protocol as passwordless login; you enter a PIN to login. This protects you from the "man in the middle" and avoids the need to login to your password manager on websites which support it.
In all cases, I'd recommend having at least two YubiKeys set-up for each website. It doesn't undermine your security to also have an authenticator app setup, as long as the long term secret remains secure. Its just that you only benefit from the "man in the middle" protection when you use the YubiKey in U2F or FIDO2 mode.
0 -
As it relates to 1Password, Yubikey for 2FA is only used when adding your account to a new device or logging into a new web browser. It is never consulted outside of that scenario.
YubiKey is also only supported in 1Password for iOS, Android and https://my.1password.com.
0 -
The part I'm not getting...if yubikey is used with an account do I have to take the key everywhere with me?
0 -
if yubikey is used with an account do I have to take the key everywhere with me?
If you're referring to other accounts you make across the web, then yes -- if you set those up to use 2FA with a hardware security key, then you would need that to sign into those accounts. If you're referring to a 1password.com account, then you would only need the 2FA key on a new 1Password app or browser, as rudy mentions.
0 -
Thanks all. I may pick up keys to mess around and use for 1Password. I'll use my account on a VM too so will have to get it working on pass through I assume.
0 -
@more_cowbell Most websites I've come across use the U2F protocol and treat it the same as other forms of 2FA. So you'll need the YubiKey as often as you would have needed the authenticator app. With some websites like 1password.com this is only when you add a new device, app or browser. With others it's every n days or x months. But best to keep the YubiKey with you in case you inadvertently close the session.
With websites that use the FIDO2 protocol you'll need it every time you login and you'll need to enter your FIDO2 PIN.0 -
Thanks everyone! So are these things fairly reliable?
0 -
@more_cowbell - right up until you put one through the washing machine, as I did. Then, not so much.
I'm semi-kidding (though I really did put one through the wash a while back), but in the service of a larger point: hardware security keys are subject to physical destruction in ways that things like TOTP secrets are not. Depending on the website/account in question, there may be different options available to reset or disable 2FA, but if there aren't, and/or if you've chosen a hardware key as your sole method of 2FA, it would be a good idea to register more than one of them on every site you use it for, just in case you do lose/destroy one of them.
0