Two-Factor Authentication the right way post

About two-factor authentication:

You may or may not use two-factor authentication (2FA) on your important online identities (like Google, Facebook, Twitter, or any other ‘personal’ account).

Photo showing two-factor authentication

So, whenever you log into one of those accounts you are prompted for two things next to your username, namely your password and two-factor token.

In Theory:

Why does this token create an extra benefit? Let’s look at some of the different flavours of authentication:

  • Something your know (like a password). This is one of the most common means of online authentication. You fill in a piece of text only known by you, so the system can verify that you are who you say you are.
  • Something you have (like a smartcard, also called a Security Token). This form is used a lot more in offline environments. If you take a bank for example, the S_omething you have_ can be your ATM-card. And they combine it with Something you know, namely your PIN.
  • Something you are (like a fingerprint). This form is sometimes found on certain laptops, and can even be used to configure two-factor login with PAM under linux.

So, two-factor authentication is a combination of above named flavours. Because it’s a combination, it’s sometimes called ‘multi-factor authentication’.

In practice:

Previous situation:

I used to have two-factor setup only on a select few important accounts for me. Although it worked out, I was kind of scared for losing my phone, since losing it, means losing access to the generated that creates the OTP (One Time Password) tokens.

When you set your account up, you usually get the option of generating a few ‘scratch-codes’. These codes are not bound by time, but can be used in case of an emergency. However, I needed a place to store the codes.

I used to store them in my password manager, but I wasn’t too happy about that, since it would break the multiple factors of something I know, and something I have stored together.

Current situation:

You may have read my blogpost about the YubiKey Neo which I use for PGP subkeys. One other thing the Neo can do, is using NFC. If you are familiar with Google Authenticator on your mobile device, Yubico offers a slightly patched alternative called Yubico Authenticator. It does things very similar, altough it requires NFC of the YubiKey to show the OTPs. One benefit of this is that I can use it on any device which has the Yubico Authenticator installed.

This photo is taken from the Yubico blog https://www.yubico.com/2013/09/yubikey-neo-oath-applet/

This photo belongs to Yubico

The same problem I had in the past still stands unfortunately, what if I lose my YubiKey? Well, for PGP, I can create new subkeys, but for OTPs, I can’t, since I don’t know the secret.

I’ve found a trick online which is so simple that I feel stupid not thinking about it before, whenever you set up two-factor authentication, you usually get a nice QR-code that you would scan to transfer the secret onto your device. You then enter one of the OTPs to confirm the generator works properly.

I have an old iPhone 4 laying around which wasn’t used anymore since it’s too slow now-a-days, however I still have Google Authenticator installed. I setup all of my codes again for the YubiKey, and at the same time scanned the QR-codes with my iPhone, and verified that both generate the same keys before confirming the new secret. That way I always have a ‘backup’ of my secrets.

I store this phone together with my USB-stick containing the PGP master-key, and only use it in emergencies.

Conclusion:

I now have a separation of something I know and something I have, while avoiding the risk of losing the something I have. Since I have a backup of on my old iPhone. On the other hand, I don’t even have to keep my phone with me, since the YubiKey works universally on any device that has the Yubico Authenticator.

If you have any questions or feedback, I’d love to hear from you in the comments below. Please let me know if you have made similar setups :)

PS. I am in no way affiliated with Yubico, I’m just a happy customer! :)

Categories: Security

Tags: 2FA, Two-factor, YubiKey