Photo by Yogi Purnama on Unsplash
On our way to make our accounts as secure as we possibly can, I will explain all the possibilities a Hardware token (Yubikey) can offer.
It can go from encrypting your e-mails to encrypting a USB Key content or unlocking your computer.
I know it is a long post, but I tried to make it as enjoyable and understandable to read as I can. So you can use that new device you just bought to its fullest.
If you read my last post about MFA and you made this leap of buying a hardware token, Yubico embedded a lot of features into their devices so why not try to use all of them?
I am streaming every Thursday at 9:00pm (UTC+2) on my Twitch channel about Security topics. 🖥️
Feel free to come and say hello 🙋🏼♂️, if Multi-factor Authenticator is of any interest to you or if reading that article brought some questions and you desperately need answers. 🤔
I'll be more than happy to answer.
Introduction
After a massive password breach on Yahoo!, I decided to reconsider my security on the Internet. Starting with my passwords.
I made some research, considered using a Password Manager and moved to KeepassXC.
After some research, I get to the point that a password, even a long enough chaotic password handled by a password manager, is not enough to really guarantee the security of my accounts.
That's why I decided to use MFA and bought a Yubikey.
At the beginning, I used the very basics capabilities of the Yubikey which is just a simple U2F token.
It is just the key to unlock the access to my account along with the password. Just a padlock that requires a pin code ("something you know") and a key ("something you own") to get unlocked.
But a Yubikey can offer a lot more that that.
In this article, I'll try to present all the possibilities that a Yubikey can offer to better secure a lot of your assets, to use your brand new Yubikey to its fullest.
The Yubikey as a U2F token
It is the most basic use and the most simple one to use.
You are using the basic capabilities of your Yubikey to connect to websites.
This website presents an exhaustive list of services that supports Multi-factor Authentication and the method supported, either hardware or software only or both and their limitations.
I used it a lot at the beginning to check if the websites I was using supports MFA. You can even ask them to support MFA through a tweet or a Facebook message with a click of a button.
Have a look at this website and check if the websites you are using allows Multi-factor Authentication.
The Yubikey to unlock your Windows Machine
Starting with Windows 10, Microsoft offers the possibility to unlock your computer with a lot a different methods, from a simple Pin code to your face and offers an API for third party to implement an unlock your machine mecanism.
Yubico took advantage of it and published an application to unlock your Windows 10 computer using a pre-register Yubikey.
You can download the application here from the Windows Store.
 |
 |
 |
 |
As you can see, you can register more than one Yubikey to unlock your computer. Which is a very good practice as I described in my generic article about Multi-factor Authentication.
There is also a page on the Yubico website that regroups all the tools you can use to register to basically any Windows accounts wether it is Local accounts, Azure AD accounts, Classic AD accounts. And even on Mac machines.
If you want to add a new possibility to unlock your Windows Machine, you can use your Yubikey. You just have to download the Windows Hello Yubikey application on the Microsoft Store and then set up your Yubikey as a Windows Hello method.
The Yubikey to Unlock your Mac Machine
Mac OS Sierra allows the use of smartcards to connect to your machine.
To use this feature, your Yubikey must have a certificate in it so that it can work as a smartcard. The Yubico PIV Manager will help you set up a Certificate in your Yubikey in a few steps.
 |
 |
You just install the application and then plug your Yubikey in and it will set it up.
You have to set up a Pin code from 6 to 8 characters. So you can replace a very complicated password (your Mac's session password) to a much more simple code but you will need something with you.
 |
 |
As soon as the Yubikey is set up, your Mac will ask you if you want to associate this Yubikey with your account.
 |
 |
Now, you can login to your Mac using your Yubikey. It is pretty straightforward.
On the new MacBook Pro, I think that TouchId is bettter than that but on all the "older" Mac, it is a really powerful method.
Use your Yubikey to Enforce your Password Manager Software
Dashlane or LastPass allows the use of a Security Key.
Yubikeys are perfectly integrated with Lastpass.
Here is a video that describes it :
Similarly, Dashlane supports Yubikeys.
Here is a video that describes it :
And Dashlane explains it on its website.
Store a PGP Key and Use It
A Yubikey can store a private key, so you can use this key within your Yubikey to encrypt your e-mails or do anything that you can do with a PGP Key. And there are a lot of possibilities.
What is PGP ?
PGP stands for "Pretty Good Privacy" and according to Wikipedia :
Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication.
PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.
Sign your Git Commits
As PGP supports message authentication and integrity checking, you can use it to sign your Git commits.
To do that, you just have to create you Private/Public key pair, store the private key in the PGP Signature slot of the YubiKey.
gpg --edit-key 13AFCE85
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 2048R/13AFCE85 created: 2014-03-07 expires: 2014-06-15 usage: SC
trust: ultimate validity: ultimate
sub 2048R/D7421CDF created: 2014-03-07 expires: 2014-06-15 usage: E
sub 2048R/B4000C55 created: 2014-03-07 expires: 2014-06-15 usage: A
[ultimate] (1). Foo Bar <foo@example.com>
gpg> toggle
sec 2048R/13AFCE85 created: 2014-03-07 expires: 2014-06-15
ssb 2048R/D7421CDF created: 2014-03-07 expires: never
ssb 2048R/B4000C55 created: 2014-03-07 expires: never
(1) Foo Bar <foo@example.com>
gpg> keytocard
Really move the primary key? (y/N) y
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
and then
gpg> key 1
sec 2048R/13AFCE85 created: 2014-03-07 expires: 2014-06-15
card-no: 0000 00000001
ssb* 2048R/D7421CDF created: 2014-03-07 expires: never
ssb 2048R/B4000C55 created: 2014-03-07 expires: never
(1) Foo Bar <foo@example.com>
gpg> keytocard
Signature key ....: 743A 2D58 688A 9E9E B4FC 493F 70D1 D7A8 13AF CE85
Encryption key....: [none]
Authentication key: [none]
Please select where to store the key:
(2) Encryption key
Your selection? 2
And you have your signature key in the Signature slot of your Yubikey. You're good to go.
To sign your commit, you can just have a look at that (great 😉) article about it on DEV.
Encrypt your E-mails
As PGP supports encryption, you can use it to encrypt strings. And what is better than an e-mail as a perfect target for encryption.
We just added a key to the Yubikey's Authentication slot to sign the Git commit.
To encrypt messages, we have to add a key to Yubikey's Encryption slot.
Let's do this following what we did above :
gpg> key 2
sec 2048R/17DB29BE created: 2014-11-16 expires: 2018-11-16
ssb 2048R/FAFFECA6 created: 2014-11-16 expires: never
card-no: 0006 03036660
ssb* 2048R/A9057450 created: 2014-11-16 expires: never
(1) Trammell Hudson <hudson@trmm.net>
gpg> keytocard
Signature key ....: none
Encryption key....: D04F 94C6 EF86 C150 9486 3F5C 2695 8563 FAFF ECA6
Authentication key: none
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
Now, you can use your favorite e-mail client that supports GPG to encrypt and/or sign your e-mails.
I am personnaly using Thunderbird with Enigma. But you can use Apple Mail with the GPGMail plugin.
Conclusion
For all these methods, it is important that you always have a spare method to connect to your account if you are losing your Yubikey.
You can use a spare Yubikey. That means that every time you set up a Yubikey on a service, you have to set up another one (the spare Yubikey) that you are going to save somewhere safe.
And if an attacker has access to the Yubikey (steals it), it can't extract any information from it. So the information saved on it are safe. It is a write only mechanism.
And if you forgot your Yubikey, you can always use another method to connect as on any service I am usnig, there is always another method to connect to the service. So you can use this other method if you set it up.
It is always a matter of compromise between easiness and security.
Thank you so much for reading it to this point. I hope you enjoyed reading it and learn something.
Leave me a message if you set up Multi-factor Authentication on one of your account. An then tried to use your Yubikey to something different than just 2nd-factor authentication.
That would mean a lot to me.
Video produced by Wild & Secure, your consulting firm to all things security and real estate.
If you want to receive weekly quality content about security, subscribe to our newsletter on our website.
Top comments (4)
@shostarsson old topic, but.. do you have any experience of storing AWS secret access key in yubikey? maybe you have any suggestions? ( to store it as "static" password it would not do, because this AWS secret key exceeds 38 characters , and no, as far as i know we cannot force AWS to shorten it ;{ )
Hello,
Indeed, you can use a Yubikey to store a password or more largely, a secret.
Nevertheless, you should use the AWS Keyvault if you want to store a secret on AWS.
Moreover, it is much more secure as you can use a secret and never know what it is, because only AWS knows it. And it can be rotated automatically by AWS.
Nevertheless, the Yubikey can be considered as a Secure Element. So you can store your secret in one of its Secure Element (Yubikey as 2 Secure Elements available).
Cheers
Well Password is not enough. I hope banks would adopt changing their MFA's from just SMS/Email to verified physical security keys
That would be great indeed.
But I think that one the most important thing to secure is you're e-mail account as any other service you are registering to is related to that and can be reset through it.