Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Beginners & Help
Merits 19 from 9 users
Topic OP
2FA HW security keys, Yubikey&such.
by
Captain-Cryptory
on 05/02/2020, 16:33:09 UTC
⭐ Merited by OgNasty (4) ,Ratimov (3) ,DdmrDdmr (2) ,vapourminer (2) ,Heisenberg_Hunter (2) ,malevolent (2) ,Halab (2) ,AakZaki (1) ,NotFuzzyWarm (1)
This is a matter of security and safety of your crypto, folks, and every one  obsessed with it is more than welcomed to this thread to share or gain experience on using HW keys designed for 2FA authentication. Mine is Yubico Yubikey 5 NFC. Both relevant documentation and howtos are very scattered, so let's start with that Yubikey.

To stay very brief, Yubikey 5 NFC is a small USB-A dongle, which also uses wireless NFC. The latter is important if you are in need for authentication on mobile devices. The key supports many relevant authentication protocols FIDO, FIDO2, U2F, OTP, TOTR, PIV, HOTP, TOTP, Challenge-responce, OpenPGP and encryption algorithms: RSA 4096, ECC p256, ECC p384.  Depending  on the usage, one can think of that dongle differently.

For example, one can view it as the key with an OTP interface and two programmable slots accessible through SW apps.

In the freshly bought Yubikey 5 slot 1 is preconfigured to use OTP to fit the authentication  solutions from Yubico - this is the so-called Yubico OTP, while slot 2 is empty and must be configured. Some resellers offer Yubikey VIP - for those keys, the 1st slot OTP is preconfigured to meet corresponding Symantec's products.  Both slots are configurable via  YubiKey Personalization Tool.  Using that, you can select and configure the protocol for yourself.

For example, slot 2 can be configured for static password - and this is very convenient when working with the password manager - you do not need to type something every time to approach your database and at the same time to worry about compromised computer (if any) . Or,  this static password can be used as the second part of the secret when entering any site. In this case, the first part (unique for each site) can be typed on the keyboard or copied from the password manager. With this approach, any keylogger  or malware potential to steal passwords from clipboard is no longer scary simply because they do not see the  second part of the secret, delivered via the YubiKey OTP interface.

You can also think of Yubikey  as of  FIDO certificated U2F dongle capable to serve to unlimited number of IDs.

In general, it’s convenient to imagine Yubikey 5 NFC as a HW-implemented authentication tools, each of which uses its own interface:

1) FIDO interface: FIDO 2, U2F, WebAuthn.

2) CCID interface: OATH (TOTP and HOTP, up to 32 ID), PIV (Smart Card, default PIN: 123456 PUK: 12345678), OpenPGP (RSA 1024, RSA 2048, RSA 3072, RSA 4096)

3) OTP interface: Static Password, Challenge-Response or OATH-HOTP.

To get authentication via Yubikey 5 NFC, just touch its gilded disk. The duration of the touch depends on which slot you need to activate. If this is slot 1, then the touch  should should last as short as 0.3-1.5 sec. If slot 2, then hold a little longer - 2 - 5 sec.

Specification: https://support.yubico.com/support/solutions/articles/15000014174--yubikey-5-nfc