Gosh, I've never heard of a yubikey but it must be something really important seeing how many times QG has mentioned it. But if it were really so important, surely she'd explain what it is? Quixotic Geek couldn't possibly be doing that geeky thing of assuming everyone, all the users of passwords and pins and fingerprints and everything else, is equally geeky, could she? Oh, she is. Well, I'll have to look it up for myself then. Oh look, there's a Wikipedia page:
The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports...
So it's an actual physical device. Yet another thing to carry around. Yet another clunky feature. How wonderful! Looks like you have to plug it into a USB slot in a computer. How do you connect it to a smartphone? Or a dumbphone? Or a computer that's so old it has no USB connection or so new it only has USB of a newer type? Or when you've forgotten it? Or when it's worn a hole in your pocket? Most of all, are people really going to welcome the need to carry round an extra thing when they could simply put in a four digit pin or use their finger? Moah humanz needed.
On my phone I hold it up and the NFC interface of the phone interacts with it. Or I can plug it into the USB-C port of my phone.
The thing is it is smaller than a key. My main yubikey sits on the bunch of keys alongside my house keys. I have another that is always plugged into my laptop.
No solution is perfect. What happens if you use fingerprints and cut or burn your finger? What happens if you use facial recognition, but get stung by a bee and your face swells? what happens if you forget a password? Everything has some disadvantage. IMHO, yubikeys are a least worst solution.
I agree with much of what you said, but why is google authenticator a problem? I know that SMS can be socially engineered (by phoning the network provider and pretending to be the user), but Authenticator is basically the same as one of those RSA security key things - you need a password/biometric thing to get at it, and it changes every minute, and for every login attempt, so even a successful phishing page won't get you enough data to correctly log into the real page.
I ask because at a previous job I wrote the 2fa integration for our service to use Authenticator (was previously password only, so at least somewhat better).
It can be MITM'd[1]. If you enter it into a phishing site, it will likely allow the attacker to login. Esp as most systems allow you to stay logged in for ages. The Yubikey is very hard to MITM.
Not a fan of yubikey, because it is a small physical object that can be lost.
2FA, via an app, is a better solution. Someone tries to connect to a secure system, the system alerts the app. What happens next varies. The app asks some version of 'Are you trying to log in?', and to be able to answer you have to be able to unlock the device and respond. Sure, a phone could be cloned, but that is getting into serious system penetration territory.
A phone is a big physical thing that can be lost, and is very expensive to boot.
My housemate lost his phone earlier this year. He couldn't buy another. Why? Cos to make the credit card purchase, he needed to do 2FA. What was his second factor? his phone. He couldn't get into his password manager. Why? Cos it used his phone for 2FA.
Yes a yubikey can be lost, same as I can lose my housekeys. *BUT* they are 50 euro each, so a lot easier to replace, and there's no reason not to have 2, one on your key ring, and one as a backup in your place you keep important documents (you do have a fire safe right?)
Where do passwords fail?
When the password is used once in a blue moon - people either forget, or use the same password for everything.
Over-complex requirements, making it very hard to remember.
Banning common word combinations (a very secure password method is to use a book - pick random page and lines down the page, use the first x words on that line. You can then record the page and line number in some way - but not the book.)
A lot of system designers use really shit password policies thinking they make things more secure, when they just make the system harder to use.
Stands to reason to use an existing device or a bit of you. People don't want to remember passwords,
As detailed up above, writing them down is legitimately ok if done properly.
don't want to faff around with password managers,
Most people use a password manager without thinking of it. Everytime they hit save password in their browser.
don't want to change their password every 13 days,
As detailed above, time limiting passwords goes against NIST best practice and is frankly a stupid idea.
and don't want to include a hieroglyph.
I'm assuming you didn't read my post explaining that this is a stupid requirement and that it's not needed to make passwords secure.
These are solutions optimally solved by using a single password everywhere or writing them down on post-its (and hey, I have passwords on my office whiteboard – because, as Jaded says, they're not critical and anyone reading the board wouldn't have a clue what they are for, but hey, if you want go update Jira for me, have a ball).
I love it when companies do this. Cos once you have one access you'd be amazed at what sort of side ways movement is possible. But sure, stick it on the white board if that helps.
Sure, if you're in the security services or somesuch, have a chip implanted up your arse and use butt-authentification. I don't need that for Netflix.
May I suggest a nice cup of tea? Maybe a nap? You seem really fucking grumpy today, more so than usual.
Password security is a bit like inventing a 25kg house key and then complaining people leave their doors open. Yes, I'm sure you can buy a key trolley to wheel it around for you, but that discounts human behaviour (the same flaw that means if you ask someone their password, they'll tell you).
Except it isn't. There's a lot of people who implement passwords *REALLY* badly. But a password, if done properly is secure, and easy to use. The issue isn't passwords, the issue is poor implementation. Finger prints don't solve this, face scans don't solve this, they just introduce new ways to fail.
Not often I disagree with you, Ian, but I utterly disagree with you.
Glad I'm not the only one then.
Sure, there are lot of people who only use passwords to access personal stuff - and they probably already do it all via fingerprint on their phone.
Using that for everything, including work (the military, government?) is ridiculous. You are taking something that needs secure access and removing the access control management from the organisation.
This is why I really like yubikeys. I can manage them, centrally for my whole organisation. They are harder to MITM. And they provide strong cryptographic authentication. Really like them.
Well, that was my comment (and Jaded's) about security being fit for purpose, I think access to my Jira boards or Netflix account is an entirely different security paradigm to Nuclear Command Code System v3463.5656.432 (someone should change the password to that, I'm sure Trump reset it to 'Password01$'.
Yes and no. From your point of view being able to use "mypassword1" as your netflix password is very simple for you. But for the organisation it's very annoying if someone guesses that password, and takes over your account. They now have to spend money on support recovering your account for you. You are not the only player in this game. Security is for everyone.
J
[1] Man in the middle attack.