Stevie Wonder is one of those truly great artists whose music permeates our culture. I had never actually listened to the album “Songs in the Key of Life” (https://en.wikipedia.org/wiki/Songs_in_the_Key_of_Life), but was not overly surprised to realize that I recognized many of the songs on it. Many of his songs will be familiar to most people, whether they realize that he is the performer or not. With (according to Wikipedia) over 100 million records sold, Stevie Wonder is one of the top-selling music artists of all time.
But why was I thinking about that particular album? Obviously, it’s because my Yubikeys finally came! After talking about Yubico (https://www.til-technology.com/post/_keys), I ordered two “hard tokens”, and then waited. Almost six weeks, I waited, though I was able to track the status of the shipment and I have learned to be (relatively) patient. The part I found interesting, though, is that the keys were shipped from California to Ontario by way of... New Zealand? I wondered if they just sent the keys west around the world, but then realized that they went from California, to New Zealand, to British Columbia, to Ontario. A quick bit of research indicated that the distance from California to Ontario is about 4200 km, which makes the 20,000+ km back-and-forth to New Zealand seem, well, superfluous.
Incidentally, I received a request for feedback on how happy I was with my Yubikeys, and responded that I was quite unsatisfied because they were asking me to comment on a product they had not yet sent me...
I’m just glad they came.
I wanted to ensure that I had a backup key, and wanted to have the greatest flexibility, so I ordered the YubiKey 5 NFC (https://www.yubico.com/ca/product/yubikey-5-nfc/) and the YubiKey 5Ci (https://www.yubico.com/ca/product/yubikey-5ci/), which gives me NFC (Near Field Communications – ie, tap, rather than needing to plug in), USB A, USB C, and Lightning connectors.
This is where the fun starts, though. As with the initial move to a password manager, the move to token-based authentication will be a bit of a journey – partly because of the natural hesitancy around anything new. (As is often the case, though, it’s a lot easier once you start – usually much easier than you expected)
First, some services don’t offer hardware token support. This is a bit of a pain, but I imagine the situation will evolve over time, as more and more services adopt the use of hardware tokens. In general, though, many of the larger or more popular (or more security-focused) services support hardware tokens.
Second, I think I need to dig into the services that don’t support hardware tokens... As I pointed out when I commented on Multi-Factor Authentication (https://www.til-technology.com/post/infosec-basics-multi-factor-authentication) a year ago, any form of MFA is vastly superior to not having MFA. However, you want to have the best security you can manage, and most services now provide options which are superior to text-based or “SMS” as a second factor.
There are a number of authenticator apps out there, and they are relatively easy to use. I personally use both Google Authenticator and Authy, and have been quite satisfied with both, which is why I’d like to learn more about this “Yubico Authenticator” I am now reading about. My understanding is that the major differences between Yubico Authenticator and similar apps is that Yubico Authenticator requires the presence of a Yubikey, and stores the codes on the Yubikey itself. As with all such things, there will be pros and cons, but having a single authenticator app is quite appealing, and strikes me as a somewhat more elegant solution. I’ll need to look into this in more detail, and may write about it at some future date.
For now, I think I’ve found an easy solution to manage both the learning curve around these new keys and the migration of services to using it. Tags.
When I started using a password manager, and noted that it supports the use of tags to manage accounts, I thought that was interesting, but didn’t really see much value in it for me at that time. Now, however, I am glad the feature exists, since I can simply tag each account when it uses the Yubikey, an Authenticator app, or SMS, and use that to gradually transition everything to a more secure approach. My current plan is to set up the Yubikeys for as much as I can, get used to them, then start phasing out other forms of MFA over time. The goal here is to learn, after all.
Let’s see how this all plays out. At the very least, I’m going to learn more about authentication, which is never a bad thing for anyone interested in InfoSec.
Cheers!
Comments