TechSpot

Using a U2F Key to Secure Your Google, Dropbox, and GitHub Accounts

By dkpope
Sep 27, 2016
Post New Reply
  1. Last week we discussed the basics of two-factor authentication (2FA) and why it's a good idea to take advantage of it. If you haven't read the article, I recommend you do, after which you'll likely get used to the idea of having 2FA on some of your accounts.

    Just yesterday I had to go into Google Authenticator for a code and when I logged into my GitHub account from my husband's laptop, I needed to enter the code I got by text. But there is another way, and it's a tiny FIDO U2F security key that I've now put on my keychain.

    The FIDO U2F Key is less than $20 on Amazon. The key came in a tiny envelope that at first I didn't even see in the Amazon box (it can't be more than 2 x 2 inches.) You need to set it up using the manufacturer's website, in this case Yubico, to try the security key.

    Read the complete article.

     
  2. Fabio Turati

    Fabio Turati TS Rookie Posts: 21   +10

    I don't think Yubikeys are a good idea. Yes, they are secure, no doubt. But what happens if you lose it, or if it gets stolen? Sure, you can buy a second one in advance (very important: in advance. Otherwise you are lost!) and store it in a safe place (a safe at home, or at your bank?). Still, it's a "dangerous" second factor, because if you lose it you are doomed.

    2FA should be used for those systems where you have other means of verifying your identity and thus you can get a replacement. My bank uses Vasco tokens. I thought I was taking care of it properly... And then, one month ago I lost it. Well, I called my bank, told them to block it (not really needed, as the other factor - my password - was still safe), and got a new one. Problem solved. The reason I can do it is that my bank knows me and accepts documents as a form of identification, and I can't lose that (at least not forever: you can always get a new one).

    Likewise, SMS codes might not be great security-wise, but if you lose your phone and Sim card, you can walk into a shop with your passport, prove that you are you, and get a new Sim card with the same number, so you can have a code sent to that number and you are not locked out of everything.

    But with Yubikey? You need to buy 2, you need to store the second one in a safe way, and there's still the theoretical risk to lose it if something goes really wrong (a thief that manages to open your safe - maybe you open it yourself, at gunpoint?). Yubikeys are not for me, and I think they are not for 99% of the users either. If you are really concerned by security and are willing to think about a disaster recovery plan so that you don't lock yourself out of everything, go ahead. Otherwise... Don't. There are other ways, which are indeed less secure, but at the same time less dangerous.

    And Techspot, please, PLEASE at least mention this problem. In your articles you haven't written a single word about what happens if you lose your physical key, but this is a serious risk and should be explained. Thank you!
     
    GreenNova343 and stewi0001 like this.
  3. stewi0001

    stewi0001 TS Evangelist Posts: 1,181   +528

    Well you beat me too it. I completely agree about the concern about if you lose it.
     
  4. theruck

    theruck TS Booster Posts: 104   +20

    Another thing is, why would I want to lock only specific services with this key? my computer is full of confidental data so I would like to use it either to lock up the whole computer. or nothing.
     
    wiyosaya likes this.
  5. Uncle Al

    Uncle Al TS Evangelist Posts: 1,663   +775

    Surely they would have a method of deleting or deactivating that particular key once you notify them?!?!?! It's a similar system used on all the DOE Nuclear Sites and they are administered locally so anything lost can be quickly shut down. I certainly understand the concern, but over all it's a pretty good concept.

    My bigger concern would be if a well versed hacker were to get into your system, could they steal the coded string and simply duplicate it? That would be my own personal fear ......
     
    wiyosaya likes this.
  6. Kibaruk

    Kibaruk TechSpot Paladin Posts: 2,508   +498

    If you don't have your backup +1, you are doing it wrong.
     
  7. Julio Franco

    Julio Franco TechSpot Editor Posts: 7,058   +645

    Regarding some of the comments above, I've included a brief update on the article as follows:

    Some of our readers have showed concern if you were to lose your Yubikey. One valid recommendation is to buy two Yubikeys, keeping the second as backup on a safe place. Note however that services that offer two-factor authentication using Yubikey also have recovery mechanisms so that you shouldn't be locked out completely if this were to happen.
     
    Kibaruk likes this.
  8. 2Thirty9

    2Thirty9 TS Rookie

    For back up, these services offer multiple ways to get back into your accounts should you not have your YubiKey. Obviously, the best practice is as mentioned, have a back up YubiKey - same as you most likely having a back up house or car key. For example with Google, if you do only have a single YubiKey and do not have it with you, you initially have to set up either SMS or Google Authenticator for your 2FA option - this then becomes your back up way to get in to your account when asked to authenticate (should you not have your key). Secondly, with these services in the security settings you are able to get 10 or so back up codes that you can enter to get access to your account (keep these in a safe place) - this would be if you didn't have your phone or YubiKey. So, options are in place to always be able to access your account.
     
  9. Godel

    Godel TS Rookie Posts: 21

    How does having two YubiKeys work as a backup? Do you have both registered on all your accounts at once?
     
  10. Kibaruk

    Kibaruk TechSpot Paladin Posts: 2,508   +498

    That's like asking how you can have 2 different key sets for your house.
     
  11. Godel

    Godel TS Rookie Posts: 21

    My house keys don't use encryption or one time codes, although looking at Wikipedia it looks like other authentication methods are possible.
     
  12. batsdude

    batsdude TS Member Posts: 52   +16

    My concern besides ever losing it, or it getting damaged is Google. They're notorious for ignoring the privacy of data for their collection to resell. Just what can they do with these since they are part developer? They already believe that your privacy is their business!
     
  13. Lou Westin

    Lou Westin TS Rookie

    To those who are worried about losing thier key, you can log into your account and deactivate it.

    Of course you should have a backup option such as an extra key, SMS text, Google Authenticator app, a scratch code, or all of these options so you can easily do this.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...