Using a U2F Key to Secure Your Google, Dropbox, and GitHub Accounts

dkpope

dkpope

Posts: 207   +9
Staff

Last week we discussed the basics of two-factor authentication (2FA) and why it's a good idea to take advantage of it. If you haven't read the article, I recommend you do, after which you'll likely get used to the idea of having 2FA on some of your accounts.

Just yesterday I had to go into Google Authenticator for a code and when I logged into my GitHub account from my husband's laptop, I needed to enter the code I got by text. But there is another way, and it's a tiny FIDO U2F security key that I've now put on my keychain.

The FIDO U2F Key is less than $20 on Amazon. The key came in a tiny envelope that at first I didn't even see in the Amazon box (it can't be more than 2 x 2 inches.) You need to set it up using the manufacturer's website, in this case Yubico, to try the security key.

Read the complete article.

 
I don't think Yubikeys are a good idea. Yes, they are secure, no doubt. But what happens if you lose it, or if it gets stolen? Sure, you can buy a second one in advance (very important: in advance. Otherwise you are lost!) and store it in a safe place (a safe at home, or at your bank?). Still, it's a "dangerous" second factor, because if you lose it you are doomed.

2FA should be used for those systems where you have other means of verifying your identity and thus you can get a replacement. My bank uses Vasco tokens. I thought I was taking care of it properly... And then, one month ago I lost it. Well, I called my bank, told them to block it (not really needed, as the other factor - my password - was still safe), and got a new one. Problem solved. The reason I can do it is that my bank knows me and accepts documents as a form of identification, and I can't lose that (at least not forever: you can always get a new one).

Likewise, SMS codes might not be great security-wise, but if you lose your phone and Sim card, you can walk into a shop with your passport, prove that you are you, and get a new Sim card with the same number, so you can have a code sent to that number and you are not locked out of everything.

But with Yubikey? You need to buy 2, you need to store the second one in a safe way, and there's still the theoretical risk to lose it if something goes really wrong (a thief that manages to open your safe - maybe you open it yourself, at gunpoint?). Yubikeys are not for me, and I think they are not for 99% of the users either. If you are really concerned by security and are willing to think about a disaster recovery plan so that you don't lock yourself out of everything, go ahead. Otherwise... Don't. There are other ways, which are indeed less secure, but at the same time less dangerous.

And Techspot, please, PLEASE at least mention this problem. In your articles you haven't written a single word about what happens if you lose your physical key, but this is a serious risk and should be explained. Thank you!
 
  • Like
Reactions: GreenNova343 and stewi0001
Fabio Turati said:
I don't think Yubikeys are a good idea. Yes, they are secure, no doubt. But what happens if you lose it, or if it gets stolen? Sure, you can buy a second one in advance (very important: in advance. Otherwise you are lost!) and store it in a safe place (a safe at home, or at your bank?). Still, it's a "dangerous" second factor, because if you lose it you are doomed...
Click to expand...

Well you beat me too it. I completely agree about the concern about if you lose it.
 
Another thing is, why would I want to lock only specific services with this key? my computer is full of confidental data so I would like to use it either to lock up the whole computer. or nothing.
 
  • Like
Reactions: wiyosaya
Surely they would have a method of deleting or deactivating that particular key once you notify them?!?!?! It's a similar system used on all the DOE Nuclear Sites and they are administered locally so anything lost can be quickly shut down. I certainly understand the concern, but over all it's a pretty good concept.

My bigger concern would be if a well versed hacker were to get into your system, could they steal the coded string and simply duplicate it? That would be my own personal fear ......
 
  • Like
Reactions: wiyosaya
Fabio Turati said:
I don't think Yubikeys are a good idea. Yes, they are secure, no doubt. But what happens if you lose it, or if it gets stolen? Sure, you can buy a second one in advance (very important: in advance. Otherwise you are lost!) and store it in a safe place (a safe at home, or at your bank?). Still, it's a "dangerous" second factor, because if you lose it you are doomed.
Click to expand...
Some devices and browsers (any browser but Chrome, actually) don't support security keys, so in those cases you can still use SMS verification or another two-step verification method you’ve configured in your XXXX account security settings.
Click to expand...
If you don't have your backup +1, you are doing it wrong.
 
Regarding some of the comments above, I've included a brief update on the article as follows:

Some of our readers have showed concern if you were to lose your Yubikey. One valid recommendation is to buy two Yubikeys, keeping the second as backup on a safe place. Note however that services that offer two-factor authentication using Yubikey also have recovery mechanisms so that you shouldn't be locked out completely if this were to happen.
 
  • Like
Reactions: PeterCC and Kibaruk
Fabio Turati said:
I don't think Yubikeys are a good idea. Yes, they are secure, no doubt. But what happens if you lose it, or if it gets stolen? Sure, you can buy a second one in advance (very important: in advance. Otherwise you are lost!) and store it in a safe place (a safe at home, or at your bank?). Still, it's a "dangerous" second factor, because if you lose it you are doomed.

2FA should be used for those systems where you have other means of verifying your identity and thus you can get a replacement. My bank uses Vasco tokens. I thought I was taking care of it properly... And then, one month ago I lost it. Well, I called my bank, told them to block it (not really needed, as the other factor - my password - was still safe), and got a new one. Problem solved. The reason I can do it is that my bank knows me and accepts documents as a form of identification, and I can't lose that (at least not forever: you can always get a new one).

Likewise, SMS codes might not be great security-wise, but if you lose your phone and Sim card, you can walk into a shop with your passport, prove that you are you, and get a new Sim card with the same number, so you can have a code sent to that number and you are not locked out of everything.

But with Yubikey? You need to buy 2, you need to store the second one in a safe way, and there's still the theoretical risk to lose it if something goes really wrong (a thief that manages to open your safe - maybe you open it yourself, at gunpoint?). Yubikeys are not for me, and I think they are not for 99% of the users either. If you are really concerned by security and are willing to think about a disaster recovery plan so that you don't lock yourself out of everything, go ahead. Otherwise... Don't. There are other ways, which are indeed less secure, but at the same time less dangerous.

And Techspot, please, PLEASE at least mention this problem. In your articles you haven't written a single word about what happens if you lose your physical key, but this is a serious risk and should be explained. Thank you!
Click to expand...

For back up, these services offer multiple ways to get back into your accounts should you not have your YubiKey. Obviously, the best practice is as mentioned, have a back up YubiKey - same as you most likely having a back up house or car key. For example with Google, if you do only have a single YubiKey and do not have it with you, you initially have to set up either SMS or Google Authenticator for your 2FA option - this then becomes your back up way to get in to your account when asked to authenticate (should you not have your key). Secondly, with these services in the security settings you are able to get 10 or so back up codes that you can enter to get access to your account (keep these in a safe place) - this would be if you didn't have your phone or YubiKey. So, options are in place to always be able to access your account.
 
How does having two YubiKeys work as a backup? Do you have both registered on all your accounts at once?
 
My concern besides ever losing it, or it getting damaged is Google. They're notorious for ignoring the privacy of data for their collection to resell. Just what can they do with these since they are part developer? They already believe that your privacy is their business!
 
  • Like
Reactions: Amazon132017
To those who are worried about losing thier key, you can log into your account and deactivate it.

Of course you should have a backup option such as an extra key, SMS text, Google Authenticator app, a scratch code, or all of these options so you can easily do this.
 
You must log in or register to reply here.

Similar threads

TechSpot
Top 10 Private and Secure Email Services
Replies
7
Views
383
pixelfree
pixelfree
TechSpot
A PC Gaming Music Journey: From Doom to Terraria, System Shock, and More Memorable Soundtracks
2
Replies
43
Views
4K
loki1944
L
TechSpot
How to Use Intel PresentMon for Benchmarking and Testing
Replies
6
Views
673
LimyG
LimyG

Latest posts

Back