Yubikey Advice Please

Zaka7
Zaka7
Community Member

Afternoon all, now before I ask. I know 100% they multiple yubikey’s are more secure because, well they just are. However hear me out, because I believe in practise there is no massive benefit to 99% of users.

Unless I’m missing something what is the harm in having a single Yubikey with TOTP backup if it’s ever lost, which would let’s be honest only be used to log you in to enable a replacement security key.

As I understand it the main risk to TOTP is MITM attacks, Phishing and Social engineering. But having the TOTP back up enabled is irrelevant if I always use my single yubikey right?

The reason I ask is a lot of services don’t allow you to turn TOTP off anyway so I only ever purchased a single key. Now Apple have FINALLY enabled security keys but you have to have two and there is no fall back option (that I’ve read)

I’m trying to work out if it’s beneficial to have another key solely for use with Apple or wait and hope they lower the threshold and enable a TOTP fall back option.

Thoughts appreciated.

Comments

  • Hello @Zaka7! 👋

    You can think of having a spare security key in the same way as having a spare key for your home or apartment. If you lose your primary security key then you'll still be able to access your accounts using the spare key. If you only have one security key then you'll be locked out of your accounts if you lose your only security key.

    If you have both a Security Key as well as a TOTP authenticator app available as options to unlock an account (such as your 1Password account) then you can consider the authenticator app as the "spare key". The only downside of this approach is if you carry your security key on your keychain, if you got robbed then you'd have both your phone (which contains the authenticator app) and your keys (which hold your security key) stolen at the same time.

    Security keys are much more resistant to phishing than a TOTP authenticator app which is why many users turn off the authenticator app for any services that support that option and they only use their security keys. In that sort of scenario, I would say that it's required that you have at least two security keys so that you're not locked out of your accounts. Security keys can break or get lost and you don't want to have to face the prospect of a long recovery process or losing the account entirely.

    Personally, I purchased two security keys as soon as I started using them. One of the reasons for this was because I had turned on "Advanced Threat Protection" for my Google account which doesn't allow the option of using a TOTP authenticator app. There are also other accounts where I'm only using my security keys as the second factor to increase my resistance to phishing such as the registrar where I hold my domains and website hosting.

    Let me know if you have any questions. 🙂

    -Dave

  • Zaka7
    Zaka7
    Community Member

    Thanks @Dave_1P

    That makes sense, and I do understand the benefit of 2 keys when using keys only as a second factor.

    I suppose your statement about using TOTP as a backup could be considered a second key does it for me. TOTP as you says is more prone to Phishing, but this is only at the point you use it isn't it? So surely there is no benefit to turning it off and you could use 1 security key, and if you lose it then that's the one and only time you use TOTP to get back into your account and activate the replacement key you'd inevitably of bought?

    It does look like I am going to have to buy a second key anyway as I want to use it with my Apple ID, but for other accounts, unless there is an explicit reason not too, I think a security key and TOTP back up is the best way forward, unless you tell me that TOTP is susceptible to attack in more ways than I understand? and If that is the case, it begs the question why so many services do not allow you to turn off TOTP when you use security keys.

  • @Zaka7

    TOTP authenticator apps are more vulnerable to phishing and they're also more vulnerable to device compromise. If someone were to compromise the device or service that you're using to store your 2FA one-time passwords then they'd be able to get access to your one-time passwords. That same vulnerability doesn't exist with security keys.

    That being said, authenticator apps are safe to use and I use them for many services.

    it begs the question why so many services do not allow you to turn off TOTP when you use security keys.

    I can only speak to 1Password but I believe that the biggest reason why some services don't allow you to turn off your TOTP authenticator app after adding a security key is because some of their client apps don't yet support security keys so without the authenticator app you wouldn't be able to authenticate using the app. It's a functionality that has to be built into all apps on every platform and that requires significant development resources. For example, 1Password doesn't currently allow you to remove the authenticator app from your 1Password account even after you add a security key since, historically, all of our client apps haven't had the ability to authenticate using security keys.

    We've now added the ability to use Security Keys as a second factor to all of our client apps and that sets the foundation for us to be able to offer users the choice to only use a Security Key as their second factor. I don't have any information on when and if this work will be completed but I can confirm that it's something that our team is looking into.

    -Dave

  • Zaka7
    Zaka7
    Community Member

    Thanks @Dave_1P makes sense to me, as all my TOTP codes are with 1Password I'm pretty confident and the weakness of phishing is negated by the fact i'd only ever use the TOTP if I lost the Security Key, I'd use it once to add and register a replacement key. I may invest in a second key once you do allow that, so that my 1PW account is Yubikey only and then I can do apple as well. But it seems to me that TOTP still has a very important place :)

  • @Zaka7

    Sounds good. 😊

    -Dave

  • XIII
    XIII
    Community Member

    How do you feel about passkeys instead of TOTP as the backup for a (single) physical security key?

    “Asking for a friend”; I have (more than…) two YubiKeys 😉

  • Tertius3
    Tertius3
    Community Member

    @XIII @Zaka7 I'm curious why you chose to use a Yubikey. Is it because you could be some target for hacking, because you are somewhat exposed to the public in what you do (whatever that is) and manage data beyond your personal use, or is it just because you are concerned for the security of your private accounts like me?

    I considered buying a Yubikey in the past, but finally decided against it because it is not supported by enough services. Only a small amount of websites support it fully, i. e. replace a password prompt. Actually, it's not a replacement, it's an addition and adds complexity. And the cost of management (buying a key as backup and keeping it current and synced) was too high and too error prone (I would probably not be able to keep both keys in sync). And 2 keys are not cheap, either. In the end, I found it too expensive and not enough benefit over existing software-based solutions.

  • Zaka7
    Zaka7
    Community Member

    @XIII i like that idea… I have however just ordered a second key for my 1pw and Apple only. Everything else will be TOTP or Passkeys in the near future 🤤

    @Tertius3 The honest answer is I am a security geek and love stuff like this. Given how careful I am I don’t believe there is a huge advantage in using a Yubikey over TOTP but it is more secure and the world is evolving so I wanted one on my main ‘lifeblood’ accounts so to speak. If cost is an issue then one really does work well with a TOTP backup. I’d suggest using it on your password manager & email as a minimum. You’re only really vulnerable to TOTP attacks when you use the codes so if you used the single key most of the time you’d be golden. Plus no need to then keep 2 keys in sync and you DO have a back up.

    The only reason I’ve got 2 keys (just now) is Apple annoyingly have ruined my strategy and I have to use 2 keys if I want it on that too. Which I do. Because as I mentioned. I’m a geek.

  • Tertius3
    Tertius3
    Community Member

    @Zaka7 Security geek? I understand. This is a valid reason. I was not much different in the past, however there was a point in time where I realized that trying to do everything customized, best, optimal, most secure etc. will lead to nowhere, because it has no purpose except supporting itself. You waste your precious time in the end for managing yourself and get things running. At that point I decided to go with the mainstream. Not buy the high end stuff and do everything 100% perfectly, but buy mainstream and do best practice what is recommended for the mainstream. The mainstream is what all development is optimizing for, so I get the most stable stuff as byproduct, least time wasted, best support (actually no support required, because mainstream just works, otherwise support would kill the companies producing mainstream).

    So Yubikey is not mainstream and will never become mainstream. A password manager is mainstream. The upcoming passkeys could become mainstream, but if you ask me, it will not. Https became mainstream, because Google and other major players actively pushed it with their browsers, actually enforcing it, but for passkeys there is nothing and nobody who is able enforce it on a global scope, so it will not spread as https spread with letsencrypt.

  • XIII
    XIII
    Community Member
    edited January 2023

    I'm hoping that passkeys really take off this year. I'm currently using iCloud Keychain to store them, but I don't want to be dependent on Apple. Since I don't know when 1Password will support passkeys, I decided to buy two YubiKeys when Coudflare offered a huge discount (each key costed only $10, when purchased two or more, though with additional taxes and shipping costs, for me living in Europe).

    YubiKeys might not be mainstream, but just like passkeys they work on top of WebAuthN, so I expect more places to use them this year.

  • Zaka7
    Zaka7
    Community Member

    @Dave_1P Just as an update, i've now added multiple keys and removed an authenticator app. So it seems that that work is indeed done :)

  • Zaka7
    Zaka7
    Community Member

    @Tertius3 I understand what you're saying. But remember there was a time where password managers and VPN's were not mainstream. Time change and I think verification similar to Yubikey will indeed follow suit, as will Passkeys like @XIII hopes. I really think they will They're more useful, more secure and just as simple to use for people like us with superb set ups like 1 Password :)

    I unfortunately missed that cloudflare deal so had to pay a lot more than that!

  • @Zaka7

    Good eye! Our developers pushed an update to make this possible last week. 🙂

    This probably goes without saying, but if anyone else reading this does enable this option please make sure to have at least 2 security keys added to your 1Password account!

    -Dave

This discussion has been closed.