U2F or Universal 2nd Factor security keys have been with us since around 2009 in their current form although some smartcard technology they use has been with us considerably longer. Many people in the IT press have written about what we should do to improve our security posture, few however credited this technology as a solution to the password and phishing problem. Today, I want to take a few minutes to talk about some different ways a U2F security key can be used on a personal level and how organisations can use them to improve their security posture without complicating the login experience.
Just in case you've come across this blog by accident and you’re wondering what's this all about. Multi-Factor-Authentication (MFA) takes many forms but the basic premise is, you can't access a computer resource without using two things to identify yourself with. Something you know as the first factor for authentication e.g. your UserID and password and something you have (physically) as the second factor. The classic example is the RSA token, although these are still commonly deployed, many organisations are moving over to push based authentication using mobile phones or the Google authenticator type apps.
I covered a little about the history of security keys in a previous blog post "a smarter way than passwords". It explained how U2F could be used for a password-less login experience as defined by FIDO2 and WebAuthn. Although some sites have now implemented these standards, it's looking like it's going to be awhile before password-less login on the web is commonplace. Even without the mass adoption of FIDO2 (Fast IDentity Online), security keys can play an important role in reducing phishing by allowing us to use simple 2 Factor-Authentication (2FA) without the need for mobile phone signal or even a device with a battery. The traditional approach to security had been to make a password more complex. We've all tried to set a password when some bright spark has changed the policy rule complexity, something like at least 10 characters, contain at least 2 upper case letters, 2 numbers, a special characters and must not have consecutive repeated characters etc, etc, etc. Well done, half of the company now stores the password on a post-it note in the top drawer or stuck to the monitor. The other half will create support tickets when their password expires and all of them are frustrated with the complexity and having to change it every month. Maybe I'm being harsh saying half, but you get my point. A question not asked often enough is are the passwords been stored securely, but that's a whole different conversation. Although I agree with the goal of stronger security to keep our data secure, I feel the method is floored. In order for security to work effectively, it shouldn't burden the users or they'll do whatever they can to make it easy for themselves.
Enter the U2F security key. Simple to use, multifunctional, inexpensive, no batteries to run out and no need for cellular signal (well for some applications). Yubico are not the only vendor to manufacture these keys, but we'll focus on them because they provide a number of applications to support their keys. They are one of the founder members of the FIDO Alliance and manufacture different keys depending on USB interface and requirement for FIPS (Federal Information Processing Standard). USB Type-A is the most common with Type-C for people with newer machines. The YubiKey NEO has NFC for easy use with mobiles. Android users can take advantage of using On The Go (OTG) cable on supported devices, if they don't own a YubiKey NEO.
Yubico recommends you purchase a primary and backup key, you wouldn't want to loose access to your PC or favouritesite if you misplace your key. I keep one on my key ring, so it’s practically always with me and another in my office at home. When you take delivery of your shiny new Yubikeys, you'll need to download and install Yubico's "Personalization Tool" (PT), which can be downloaded from Yubico's download site (https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/). You're now able to program the keys.
Each YubiKey has two memory slots, each can be programmed to perform the following functions:
HMAC-SHA1 Challenge-Response - Second Factor Authentication for applications and login.
Personal Identity Verification (PIV) - Smartcard for password-less login
One-Time-Password - OATH-TOTP (time based) and OATH-HOTP (counter based).
Yubico One-Time-Password (OTP) - Yubico Cloud service.
OpenPGP - signing email and document using Pretty Good Privacy.
Some functions like PIV and Yubico OTP default to the first slot while other functions use slot 2. The location for each function isn't fixed and can be moved if required. The only difference between the slots is how they are activated. Slot 1 is activated by a tap of the gold disc while slot 2 uses a tap and hold.
Let's look at how a few of the applications are used.
The Challenge-Response functionality is useful as it works completely off-line and interaction is only between an application and the YubiKey. It supports functions as diverse as Full Disc Encryption (FDE), MacOS, Windows and Linux login services and authentication of supported applications. In simple terms, the PT programmes the key with a 20 Byte secret also shared with the application sending the challenge. An API sends a challenge of up to 64 bytes to the key, which is hashed using HMAC-SHA1 with the secret to create the response. The challenge is typically made up of several pieces of information depending on the application sending the challenge. As the challenging application also knows the secret, the response from the YubiKey is compared to the calculated value from the application. If a match is found you are authenticated.
To activate Challenge-Response for Windows login requires some additional software installing on the machine. Yubico-Windows-auth.exe is available from Yubico download page. Once the software is installed five things must be done:
1) The feature enabled
2) The key associated with the login user account
3) The software configured with the secret
4) The software has a test function that must run to check the configuration is correct
5) The PC rebooted
As long as the above are done successfully, you’re good to go. The next time you login, not only will you enter your User ID and password, your programmed Yubikey will also need to be attached to a USB port. This method should only be used with machines with local credentials, not domain attached machines. A note of caution, the configuration program has a tick box to enable "safemode". If safemode is enabled and you lose your key and you don't own a backup key, you will need to reinstallWindows.
Using a security key for Active Directory (AD) login is a little more complex to set up and requires a Windows Certificate Authority (CA) be active and configured on the domain. Several methods exist for deployment however, we will only discuss self-enrollment.
A prerequisite for AD login is support for CCID (Chip Card Interface Device) protocol by your YubiKey. CCID allows smartcard and card readers to connect to computers via USB. You will need to install "YubiKey NEO Manager" software to enable this function to work with YubiKey NEO's. Windows 2000 was the first version of Windows to provide basic support for smartcard operation. Yubico provide a driver with additional functionality "Yubico Smart Card Minidriver" allows management of the certificates and PINs via the native Windows GUI and APIs.
When programming a key to support PIV I used the "PIV Manager" software. Logins to a domain after PIV is complete requires no credentials be entered by a user. To ensure a key isn't illegitimately used, a PIN must be programmed to authenticate the user to the key. This process is automatic on the initialisation of the PIV Manager software. The PIN should be 4-8 characters long, If the PIN is entered incorrectly 3 times consecutively, the PIN is locked out until a PUK code is entered, much the same as a SIM locked on a mobile phone. With the PIN set, PIV Manager can request a certificate from the Windows CA. A new X.509 Certificate Signing Request (CSR) is generated by PIV Manager, three pieces of information need to be supplied:
1) The private key length and type, 2048bits using RSA as an example
2) The subject of the certificate which is the UserID i.e. CN=<UserID>
3) The template the CA should use
The CA will sign the request and return a signed certificate to the PIV manger for programming of the YubiKey. You should programme the backup key at the same time if possible.
The next time you login to your PC, the login page will look different asking you not for your UserID and password, but requesting your PIN. When you enter the correct PIN, your authenticated and you can work as normal. How the PC is affected by the removal of the key can be altered as required by group policy.
The last thing I want to talk about today is One-Time-Password (OPT) specifically Time based-One-Time-Password TOTP.
Many websites provide 2 Factor-Authentication (2FA) these days and typically they use an app like Google authenticator. Now you have your YubiKey you may want to use it for these as well. A little on how TOTP works first. If you like to read an RFC, you'll need to reference RFC6238 to find the details. If you're looking for an overview, this may help.
When you select a site that supports 2FA its likely TOTP will be the offering. A secret will be generated by the site, which is normally shared with you as a QR code or a long text string. When you want to authenticate to the site, the secret and the time (rounded off) are hashed using HMAC-SHA1 to give a 6-8 digit number, which is entered into the site. As both the site and the app share the same code and should have the correct time both the value calculated from the site and the value from the app should be the same.
So how is this implemented with a YubiKey and why bother with it? Yubico have an authenticator app, which can run on a desktop PC or mobile phone. The process works much the same as described above, except the hashing function is performed by the YubiKey and the result displayed in the app. Without the app being connected to your key physically on the desktop version, no codes are generated by the app. The mobile version of the app has the ability to use NFC in place of a physical connection. After the code has expired a new NFC connection is required for a new code. If you don't own a YubiKey NEO some Android devices support OTG connectivity. The Yubico authenticator can give an additional layer of security as the key is required to generate the code, but if a user leaves the key permanently connected to a PC and leaves the PC unlocked, it offers no advantage. Personally I keep my Yubikey on my key ring on a retractable holder and use a short USB cable for easy connection. When I get up and leave my desk, my Yubikey comes with me.
KeePass has been my password store of choice for several years and it still is. Now KeePass is secured with my YubiKey for a little extra security. Many people over the years talk about online accounts being hacked, its even happened to me, now 2FA has been embraced by many of the most popular websites, it's time for us to embrace it as well. Push authentication works very well for many people but it's not so good when you don't have mobile reception or your battery is flat. If you're trying to authenticate to a site that uses Time based One-Time-Passwords via an app, a security key has the same limitation as it won't work when your battery is flat.
What a security key will do, is in one small and relatively inexpensive device allow us to reduce the chance of having a large majority of our online accounts compromised. This is not only good for individuals but also organisations given the way people like to share the same credentials across several if not all accounts, this can only be a good thing. For organisations, using security keys allows certificates to become the primary method of authentication. A certificate can be renewed automatically without user intervention, which ensures they are kept safe. Security keys are tamper proof so the private key is safe and the user certificates can be revoked in the same way they can under any PKI implementation.
An upgrade of authentication on your web application to support 2UF/WebAuthn reduces the chances of data breach, which again, can only be a good thing.