Best section I could find for this... Yubico has released a Fido alliance standard key for doing 2fa, in 2 form factors (at $50/$60 each). These are similar to existing keys which do static, HMAC-SHA1, OTP, plus NFC and certificate based authentication. https://www.yubico.com/press/press-...ort-fido-alliances-universal-factor-protocol/ The Fido alliance is at http://fidoalliance.org/ and includes Paypal, Mastercard and Google. Google has been using them internally for a while. The standard username/pin login is used, and the server can demand physical presence (a button press) to ensure the person is there. Apart from their security implications, these standards appears to offer improved privacy because the user owns the keys on the device and it is NOT shared amongst different sites (so they cannot trade identities). I do not know how you recover or duplicate the key yet, I'll report back if I start using them. I could not see any important real-world sites supporting this authentication yet, but will use in a trice if available - miles better than an SMS message from both a security and privacy basis.
What's the difference between this and the Yubico keys up until now? The yubico keys seem interesting but sadly, I don't know many services who support them.. Everyone seems to support "google authentication" but sadly I don't own a smartphone!
Well the original Yubikeys support various forms of OTP, and can be made to support TOTP with helpers (like on a PC) - it has no on-board clock, which I like because it means no battery. The applications of this OTP support include Symantec VIP variants, the Yubico OTP (with support for Salesforce.com and Lastpass for example). Google Authentication using OAUTH TOTP is already supported like this. They also do HMAC-SHA1 generation based on a stored secret, which can be used for Windows login and Password Safe (with no internet access assumed). They can also generate a static key, but I've never felt that was valuable to me, and it takes another slot on the key which I don't have free. The Neo range added some certificate support (CCID and mifare), which is now extended to add the FIDO U2F capabilities. Whereas the OTP and HMAC-SHA1 are VERY easy to manage and duplicate (I greatly prefer this over certificate based management which is nightmarish), I do not know the practicalities of managing whatever secrets the FIDO U2F uses to generate its keys. NFC (supported by some of the Neos) only works on Android, Apple has not opened its nfc access. It doesn't work for device logon as far as I know, which I'd want just like for the desktop login authentication - I'm not impressed by any of the smartphone login mechanisms and I do not trust them with any valuable data or site logons. The big problem right now is the great variety of 2FA supported by the sites (including none at all, all too common). I do not want to use SMS which is a privacy disaster (as well as denial of service when the mobile runs out of battery or is stolen), but there is no privacy-respecting 2FA apart from the Fido one, and that's not widely implemented - yet, as far as I can see. If Google (and Paypal) adds it to their authentication options, then that will change the landscape rather. Here's what they've said in a Fido Alliance draft overview of U2F: "As one of the founders of the U2F working group in FIDO, Google is working to build U2F support into the Chrome browser and will offer U2F as a 2nd factor option on Google accounts to help the start-up of the open ecosystem." http://fidoalliance.org/specs/fido-u2f-overview-v1.0-rd-20140209.pdf I've been using the standard Yubikeys for over a year now, and am very happy with them. I use one slot for Lastpass 2FA, and the other slot for HMAC-SHA1 which does my logins with 2FA on Windows 7 and also gives Password Safe 2FA. This link provides a summary of the hardware variants and the different application/standards support: https://www.yubico.com/products/yubikey-hardware/
There are now rather cheaper forms of key which appear to only do the Fido U2F listed on Amazon, the Yubikey one at $18, and there is another vendor called Plug-up International at $6. http://www.amazon.com/Yubico-Y-123-...d=1413793198&sr=1-1-catcorr&keywords=u2f fido I guess the important thing about this (I haven't got either, nor evaluated it) - is that provided they work, and the standard is implemented sufficiently on websites and in browsers, cost of the keys is not going to be a big constraint to mass adoption. Complexity and reliability will be! The later versions of Chrome implement U2F support. I'll report back if/when I test this stuff.
Windows 10: Say Goodbye to Passwords with Yubico’s Security Key Microsoft, Yubico partner for password-less Windows 10 April 17, 2018 http://news.softpedia.com/news/wind...words-with-yubico-s-security-key-520718.shtml
Yubico's keys are fantastic. I use the NFC variant for enhanced stuff with my Androids. USB-A is the basic connection for the computer's slot though. Great device!
Agree, I'm sensing a sea change in how well the latest devices work, and the availability of services which actually use them. Be aware that the nfc enabled devices now are slightly limited in RSA key length (if you want to do GPG type stuff). To summarize though, the YK now allows you to: log into Windows (and Linux) with a local Hmac challenge/response in slot 2. Can also use with LUKS on debian distros. Also provides 2FA for Keepass, Keepassxc, Password Safe. log into Lastpass with the Yubico OTP in slot 1, giving lastpass 2fa. Can also do Linux PAM and ssh. generate TOTP Oauth codes with the Yubico Authenticator (on Windows or Linux), or via NFC tap on Android nfc capable smartphones with the authenticator; many sites can be configured using the CCID application & QR code scanning.. Act as U2F key for as many sites as you like; only practically works on Chrome with an extension at the moment; W3C supported api supposedly available and supported by Firefox Quantum, but this doesn't work on the sites I've tested. X.509 certs on Piv smartcards - can be used for Windows login on domains GPG certificates on card for those who want it (either generated on card or as subkeys downloaded to it. These days, quite a lot of sites are at least offering TOTP, which is supported by the Yubikey and because the secret is stored off-machine-memory, offers some protection against Meltdown/Spectre, though not Mitm. Rather more ideally, more sites are also doing - at last - U2F (Google accounts, FB, Git, Gandi,Fastmail, Tutanota). Because U2F dongles aren't clonable, recovery becomes interesting, but at least better sites offer "paper" one-time pads or codes for recovery which can be backed up. Sadly, U2F on Android requires a separate bluetooth dongle under Google's scheme; and also android phones offer no option for two factor dongle based authentication via nfc (possibly because of interception). Anyway, things are improving, well behind time.
Its the best we have going right now for simple public usage. If anyone is using U2F just make sure the sites are doing a strong backup protocol for when the chip breaks or is lost. Many allow a second backup chip to be authorized, which you can put in a safe at home or wherever, but in absence of that a paper backup code. Anything else being accepted should cause concerns for your security. U2F is supposed to make it impossible for a bad guy to get in without the chip. Sounds good but the process/industry is maturing and many websites do a crappy job of implementation.
