Why Yubikey-based challenge-response authentication matters

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills.
Post Reply
Topic Author
Northern Flicker
Posts: 15288
Joined: Fri Apr 10, 2015 12:29 am

Why Yubikey-based challenge-response authentication matters

Post by Northern Flicker »

When using a Yubikey (or other tool) to login to a site with challenge-response authentication, having done a prior key exchange will defeat man-in-the-middle attacks as long as the initialization process where the key exchange occurred was a clean connection. Here is an example of why this matters for more than just circumventing phishing attacks.

From:
https://www.theregister.com/2023/01/26/ ... ug_akamai/
The PoC demo exploits an old version of Chrome on Windows, which uses CryptoAPI to check certificates, using a man-in-the-middle attack to make the browser think it's talking to the legit server for a HTTPS website but is in fact using a malicious fake. The PoC doesn't get more useful than that.
CC1E
Posts: 181
Joined: Tue Aug 22, 2017 7:45 pm

Re: Why Yubikey-based challenge-response authentication matters

Post by CC1E »

It’s all fun and games until you lose the hardware key. Then you get to spend days on the phone regaining access. Reminds of the old days with hardware RSA keys and Bloomberg B-Units.

Password manager with strong master password, random long passwords for critical sites, and soft tokens on phones are still sufficient.

Avoiding the man in the middle attack scenario is easy if you never go to your critical sites by clicking links. Always manually enter the URL.
User avatar
Vulcan
Posts: 2975
Joined: Sat Apr 05, 2014 11:43 pm

Re: Why Yubikey-based challenge-response authentication matters

Post by Vulcan »

CC1E wrote: Thu Jan 26, 2023 3:21 pmAlways manually enter the URL.
Better yet, bookmark.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
hachiko
Posts: 941
Joined: Fri Mar 17, 2017 1:56 pm

Re: Why Yubikey-based challenge-response authentication matters

Post by hachiko »

CC1E wrote: Thu Jan 26, 2023 3:21 pm It’s all fun and games until you lose the hardware key. Then you get to spend days on the phone regaining access. Reminds of the old days with hardware RSA keys and Bloomberg B-Units.

Password manager with strong master password, random long passwords for critical sites, and soft tokens on phones are still sufficient.

Avoiding the man in the middle attack scenario is easy if you never go to your critical sites by clicking links. Always manually enter the URL.
I'm far from a security expert, but I don't think manually typing in websites necessarily protects against a mitm attack.

As for the soft tokens on phones over the Yubikey, I find the Yubikey much more convenient than pulling out my phone (which sometimes involves walking around the house looking for my phone). The "losing it" is definitely a concern and happened to me. But, the only places I use the Yubikey, it gives me the option to setup a backup method, so I usually set that up with an authenticator app as well.
Made money. Lost money. Learned to stop counting.
Nicolas
Posts: 4886
Joined: Wed Aug 22, 2012 7:41 am

Re: Why Yubikey-based challenge-response authentication matters

Post by Nicolas »

CC1E wrote: Thu Jan 26, 2023 3:21 pm It’s all fun and games until you lose the hardware key. Then you get to spend days on the phone regaining access. Reminds of the old days with hardware RSA keys and Bloomberg B-Units.
Buy two keys with one as backup. Better yet, three. It’s what I did and I don’t worry about losing them. The security they afford is of course priceless.
aaron2020
Posts: 10
Joined: Fri Feb 17, 2017 8:46 am

Re: Why Yubikey-based challenge-response authentication matters

Post by aaron2020 »

CC1E wrote: Thu Jan 26, 2023 3:21 pm It’s all fun and games until you lose the hardware key.
If you're using 2FA on your phone, a second device or key is handy if you have a problem with your phone
Muffin Master
Posts: 45
Joined: Wed Sep 05, 2018 3:00 pm

Re: Why Yubikey-based challenge-response authentication matters

Post by Muffin Master »

I use YubiKeys a lot. It is by far superior to my memory. TOTP or OTP from Yubico are very good implementations. All digital keys are stored on YubiKey and can not be read. I have backups keys and I only use it with sites that allow for bkup keys.
Topic Author
Northern Flicker
Posts: 15288
Joined: Fri Apr 10, 2015 12:29 am

Re: Why Yubikey-based challenge-response authentication matters

Post by Northern Flicker »

CC1E wrote: Thu Jan 26, 2023 3:21 pm It’s all fun and games until you lose the hardware key. Then you get to spend days on the phone regaining access.
You can have two Yubikeys, or use Google Voice SMS as a backup to connect if and when a Yubikey fails or is lost.

TOTP has more lockout risk from loss or failure of hardware.
HawkeyePierce
Posts: 2344
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: Why Yubikey-based challenge-response authentication matters

Post by HawkeyePierce »

CC1E wrote: Thu Jan 26, 2023 3:21 pm It’s all fun and games until you lose the hardware key. Then you get to spend days on the phone regaining access. Reminds of the old days with hardware RSA keys and Bloomberg B-Units.

Password manager with strong master password, random long passwords for critical sites, and soft tokens on phones are still sufficient.

Avoiding the man in the middle attack scenario is easy if you never go to your critical sites by clicking links. Always manually enter the URL.
If avoiding phishing attacks was easy for humans, Google wouldn't have needed to roll out hardware keys to all their employees. Googlers are generally pretty smart people and yet they still tripped over these attacks.

Humans get sleepy. Or distracted. Or confused. Hardware keys suffer from none of those issues.
Topic Author
Northern Flicker
Posts: 15288
Joined: Fri Apr 10, 2015 12:29 am

Re: Why Yubikey-based challenge-response authentication matters

Post by Northern Flicker »

Phishing is not the only way a MITM attack may be initiated. Your broadband modem and router is probably the least secure component in the data path between your browser and a web site. When was the last time you upgraded its firmware to incorporate security fixes? And even then, the upgrade process itself is a potential attack vector if not done with due diligence. The router also is a risk for a clean initialization of 2FA.
User avatar
RickBoglehead
Posts: 7852
Joined: Wed Feb 14, 2018 8:10 am
Location: In a house

Re: Why Yubikey-based challenge-response authentication matters

Post by RickBoglehead »

Northern Flicker wrote: Thu Jan 26, 2023 4:35 pm Phishing is not the only way a MITM attack may be initiated. Your broadband modem and router is probably the least secure component in the data path between your browser and a web site. When was the last time you upgraded its firmware to incorporate security fixes? And even then, the upgrade process itself is a potential attack vector if not done with due diligence. The router also is a risk for a clean initialization of 2FA.
My Google mesh system automatically updates. Xfinity also automatically updates my modem.
Avid user of forums on variety of interests-financial, home brewing, F-150, EV, home repair, etc. Enjoy learning & passing on knowledge. It's PRINCIPAL, not PRINCIPLE. I ADVISE you to seek ADVICE.
CC1E
Posts: 181
Joined: Tue Aug 22, 2017 7:45 pm

Re: Why Yubikey-based challenge-response authentication matters

Post by CC1E »

hachiko wrote: Thu Jan 26, 2023 3:43 pm
CC1E wrote: Thu Jan 26, 2023 3:21 pm It’s all fun and games until you lose the hardware key. Then you get to spend days on the phone regaining access. Reminds of the old days with hardware RSA keys and Bloomberg B-Units.

Password manager with strong master password, random long passwords for critical sites, and soft tokens on phones are still sufficient.

Avoiding the man in the middle attack scenario is easy if you never go to your critical sites by clicking links. Always manually enter the URL.
I'm far from a security expert, but I don't think manually typing in websites necessarily protects against a mitm attack.

As for the soft tokens on phones over the Yubikey, I find the Yubikey much more convenient than pulling out my phone (which sometimes involves walking around the house looking for my phone). The "losing it" is definitely a concern and happened to me. But, the only places I use the Yubikey, it gives me the option to setup a backup method, so I usually set that up with an authenticator app as well.
IT Security is my field. Manually typing URLs, or bookmarking as someone else suggested, mitigates the main way you’d fall victim to a MITM attack (emailed phishing link).

If you have no issues keeping the Yubikey with you everywhere you may need it, then you’re all set. But if you access your accounts from multiple locations, like home and work, it’s a pain to ensure you have it and don’t lose it in transit. You could have multiple yubikeys, but not all sites support that.
Nicolas
Posts: 4886
Joined: Wed Aug 22, 2012 7:41 am

Re: Why Yubikey-based challenge-response authentication matters

Post by Nicolas »

CC1E wrote: Thu Jan 26, 2023 5:00 pm If you have no issues keeping the Yubikey with you everywhere you may need it, then you’re all set. But if you access your accounts from multiple locations, like home and work, it’s a pain to ensure you have it and don’t lose it in transit. You could have multiple yubikeys, but not all sites support that.
I put them on my key rings and so one is always with me as one of my cars is always with me. I have an AirTag on each key ring too (though I never lose my keys). So for me it’s not a problem.
Last edited by Nicolas on Thu Jan 26, 2023 6:42 pm, edited 1 time in total.
User avatar
dual
Posts: 1371
Joined: Mon Feb 26, 2007 6:02 pm

Re: Why Yubikey-based challenge-response authentication matters

Post by dual »

AFAiK, of the big financial companies, only Vanguard uses Yubikey. The others that I’m familiar with Fidelity, Schwab, E*TRADE only support Symantec.

If I am wrong, please explain how I can use Yubikey to control access to the three companies I mentioned.
Swift
Posts: 64
Joined: Sat Jan 07, 2023 4:03 pm

Re: Why Yubikey-based challenge-response authentication matters

Post by Swift »

dual wrote: Thu Jan 26, 2023 5:16 pm AFAiK, of the big financial companies, only Vanguard uses Yubikey. The others that I’m familiar with Fidelity, Schwab, E*TRADE only support Symantec.

If I am wrong, please explain how I can use Yubikey to control access to the three companies I mentioned.
You are correct about etrade, I just realized this while setting up our hardware keys. The other super fun thing I realized about etrade is that they have a password character limit of 32 (which they don't tell you, but I looked it up). However, if you use Symantec, the way the system treats it is to append the symantec code to the password, thereby reducing the available password length to no more than 26 characters. Etrade also doesn't tell you any of this, had to figure it out by trial and error (and the good graces of some redditor who also was bamboozled by it). Wish all the banks would start allowing hardware tokens.
Topic Author
Northern Flicker
Posts: 15288
Joined: Fri Apr 10, 2015 12:29 am

Re: Why Yubikey-based challenge-response authentication matters

Post by Northern Flicker »

dual wrote: Thu Jan 26, 2023 5:16 pm AFAiK, of the big financial companies, only Vanguard uses Yubikey. The others that I’m familiar with Fidelity, Schwab, E*TRADE only support Symantec.

If I am wrong, please explain how I can use Yubikey to control access to the three companies I mentioned.
This is a general problem. AFAIK, I would need three two different TOTP generators plus Yubikeys to secure the financial services we use, and that still would not cover my 401K.
Last edited by Northern Flicker on Thu Jan 26, 2023 11:33 pm, edited 1 time in total.
Topic Author
Northern Flicker
Posts: 15288
Joined: Fri Apr 10, 2015 12:29 am

Re: Why Yubikey-based challenge-response authentication matters

Post by Northern Flicker »

Nicolas wrote: Thu Jan 26, 2023 5:07 pm
CC1E wrote: Thu Jan 26, 2023 5:00 pm If you have no issues keeping the Yubikey with you everywhere you may need it, then you’re all set. But if you access your accounts from multiple locations, like home and work, it’s a pain to ensure you have it and don’t lose it in transit. You could have multiple yubikeys, but not all sites support that.
I put them on my key rings and so one is always with me as one of my cars is always with me. I have an AirTag on each key ring too (though I never lose my keys). So for me it’s not a problem.
As long as the Yubikey config is pin-protected, and/or the provider does not use it to authenticate a password reset, is fine to carry it around.
hudson
Posts: 7098
Joined: Fri Apr 06, 2007 9:15 am

Re: Why Yubikey-based challenge-response authentication matters

Post by hudson »

Apple and iCloud are going to start using Yubikeys:

https://support.apple.com/en-us/HT213154
User avatar
ObiQuiet
Posts: 119
Joined: Sun Sep 05, 2021 12:04 pm

Re: Why Yubikey-based challenge-response authentication matters

Post by ObiQuiet »

I've found the yubikey to be far more convenient than having to use SMS or a phone app.

Many sites let you register not only more than one yubikey (for backup) but also use the authenticator app on your phone. If you do this, you have more than one recourse if you've lost the key, or left it in a place where you aren't.

You can even duplicate the authenticator app -- a good use for an old cell phone, filed with your secure papers.
Nicolas
Posts: 4886
Joined: Wed Aug 22, 2012 7:41 am

Re: Why Yubikey-based challenge-response authentication matters

Post by Nicolas »

ObiQuiet wrote: Thu Jan 26, 2023 7:45 pm I've found the yubikey to be far more convenient than having to use SMS or a phone app.

Many sites let you register not only more than one yubikey (for backup) but also use the authenticator app on your phone. If you do this, you have more than one recourse if you've lost the key, or left it in a place where you aren't.

You can even duplicate the authenticator app -- a good use for an old cell phone, filed with your secure papers.
But isn’t an authenticator app less secure than Yubikey? If so and you use both then the security of your account is reduced to the weakest link which is not Yubikey.
Topic Author
Northern Flicker
Posts: 15288
Joined: Fri Apr 10, 2015 12:29 am

Re: Why Yubikey-based challenge-response authentication matters

Post by Northern Flicker »

Logging in with the authenticator app is slightly less secure because it does not defeat MITM and trojan horse attacks, but having it configured does not prevent you from logging in with the Yubikey, defeating said attacks.

It is a larger attack surface than having two Yubikeys, but I think that is an acceptable, very slight increase in risk.
User avatar
ObiQuiet
Posts: 119
Joined: Sun Sep 05, 2021 12:04 pm

Re: Why Yubikey-based challenge-response authentication matters

Post by ObiQuiet »

Nicolas wrote: Thu Jan 26, 2023 10:43 pm
ObiQuiet wrote: Thu Jan 26, 2023 7:45 pm I've found the yubikey to be far more convenient than having to use SMS or a phone app.

Many sites let you register not only more than one yubikey (for backup) but also use the authenticator app on your phone. If you do this, you have more than one recourse if you've lost the key, or left it in a place where you aren't.

You can even duplicate the authenticator app -- a good use for an old cell phone, filed with your secure papers.
But isn’t an authenticator app less secure than Yubikey? If so and you use both then the security of your account is reduced to the weakest link which is not Yubikey.
Yes, it is less secure.

SMS OTP - least secure, least convenient
TOTP - more secure, IMO same level of hassle as SMS (pull out your phone or reach for a token and get a # to type in)
U2F / Yubikey - most secure, and IMO most convenient (if you have one in each computer you use)

I notice that 1password actually has an embedded authenticator app, so you don't need to reach for your phone. Not sure about using that yet, as it seems to remove the "2nd" from "2nd factor".

It's unfortunate that people perceive U2F devices as less convenient.
Even more unfortunate that some institutions still allow fall back to SMS or email OTP, even when you are using something more secure.
jincopunk
Posts: 28
Joined: Sat Sep 27, 2014 9:57 am

Re: Why Yubikey-based challenge-response authentication matters

Post by jincopunk »

Northern Flicker wrote: Thu Jan 26, 2023 6:31 pm
Nicolas wrote: Thu Jan 26, 2023 5:07 pm
CC1E wrote: Thu Jan 26, 2023 5:00 pm If you have no issues keeping the Yubikey with you everywhere you may need it, then you’re all set. But if you access your accounts from multiple locations, like home and work, it’s a pain to ensure you have it and don’t lose it in transit. You could have multiple yubikeys, but not all sites support that.
I put them on my key rings and so one is always with me as one of my cars is always with me. I have an AirTag on each key ring too (though I never lose my keys). So for me it’s not a problem.
As long as the Yubikey config is pin-protected, and/or the provider does not use it to authenticate a password reset, is fine to carry it around.
If you lose it on the street how is a stranger going to know which sites you use it on and your username and password for each site?
Post Reply