Breaking Down the Flavors of Two-Factor
UPDATE NOVEMBER 2020: Changed recommended key language to reflect new products from Yubico and Google.
UPDATE MAY 2019: Added link to new version of Feitian Multipass.
Two-Factor Authentication (2FA) is one of the most important secure tools you can use to protect your accounts online. It adds an important safeguard against account compromise, and, when configured correctly with the correct tools, can keep most malicious actors out of your accounts. Phishing and account compromise affect all users, regardless of their sophistication and intelligence on the subject matter. As such, every user should implement the best defenses possible; there’s no such thing as someone who’s too smart to fall for a phishing attack.
Every user needs to figure out what their particular needs are on an individual level. I feel pretty strongly that all users should be moving to U2F security keys because as of this writing they’re functionally unphishable (more on that below). Since everyone will fall for a phish at some point, this is the only way to absolutely ensure account protection. However, for some there are cost and technological barriers to using these, and not all services support security keys currently for 2FA.
What are Security Keys and How do They Work?
Security keys are USB (mostly) devices that plug into your computer, which work as a second factor for identification. They look like a USB drive, but they’re not and don’t work the same way. Recent operating systems (Windows 10, recent flavors of Mac OS) already work with these keys, but older systems may need to download driver software.
Keys are registered with the site that supports them. A good analogy would be if you programmed the lock on your front door to recognize a single key on your keychain that was unique, instead of having a locksmith change the lock mechanism to match the key. That way, you could have many different doors open with the same key.
Keys work by having a unique code that is read directly from the device via the browser to the site you’re trying to connect to, a process which as of this writing cannot be spoofed if you’re not connected to the right site. There is a more technical explanation here for how it works: https://fastmail.blog/2016/07/23/how-u2f-security-keys-work/
Why are Security Keys better than an Authenticator App?
The great thing about keys is that right now, nobody has figured out how to bypass them or phish them. Right key, wrong site? Won’t work. This is different than form entries for one-time passwords (OTP), the 6-digit codes you see from apps like Google Authenticator or the codes you receive over text message. A user, even a very sophisticated one, can still be tricked into entering a OTP into a web browser; whether it’s generated from Google Authenticator or a token like an RSA ID.
To be clear, authenticator apps with OTP are still SUBSTANTIALLY more secure than not having two-factor at all, and SUBSTANTIALLY more secure than using a text-message based solution. For users who either can’t use keys due to corporate IT policies (which have yet to catch up), cost, or because their main systems don’t yet support them, they should absolutely use an authenticator app.
Push authenticator apps have some resistance against in-browser phishing, and can’t be intercepted the same way as a text message under a SIM swap, but have other user experience weaknesses I go into more depth on below. Ultimately, if used correctly they are secure, but they give the user a lot of power to accidentally grant someone access.
What sites work with Security Keys?
Security keys are a new technology, and many sites and services don’t work with them yet. For those sites that don’t support security keys, you should use the authenticator app options if possible, and text message if there’s no other two-factor choice (more on that below).
A full listing of sites is here: https://www.yubico.com/works-with-yubikey/catalog/
As of November 2018, here are some major sites that work with U2F Security Keys:
Google Accounts (GMail, GSuite)
Facebook
Dropbox
Amazon Web Services (Root Account and IAM)
Twitter
GitHub
BitBucket
Dashlane
Keeper
Okta
Duo
In addition to the sites above that support the U2F standard, Yubico brand YubiKeys also work with all the sites below. The U2F standard is not supported by the sites below currently, and therefore the Feitian and Google keys will not work with them.
LastPass
1Password
Citrix
Drupal
Joomla
Wordpress
Microsoft has implemented FIDO2 support for computer login on Windows 10 devices using Windows Hello. I also expect them to expand security key support to email and Office 365 soon.
Which keys should I get?
UPDATE NOVEMBER 2020:
Picking the right key is much easier now. With iOS now supporting 2-way NFC for security keys, it’s much easier to use most keys on the market no matter what kind of phone or device you have. If you use LastPass, you still need to use a Yubico brand Yubikey to secure your account with a security key, but other than that limitation, any FIDO Security Key will work with most services.
IF YOU ARE AN iOS USER WITH A COMPUTER WITH USB-C: Yubikey 5Ci. https://www.yubico.com/product/yubikey-5ci/ (Works with iPhone, iPad of all generations, and USB-C ports on computers. No NFC).
IF YOU ARE AN ANDROID USER WITH A COMPUTER WITH USB-C: Yubikey 5C NFC. https://www.yubico.com/product/yubikey-5c-nfc/ (Will also work with iPhones, newer iPads, and USB-C ports on computers.)
IF YOU HAVE A COMPUTER WITH USB-A AND DON’T NEED TO LOG IN TO AN iPAD WITH JUST THE KEY: https://www.yubico.com/product/yubikey-5-nfc/
The Google Titan keys are just as secure, but have less form factor options than the Yubico products. With the new version of iOS, you no longer need Bluetooth security keys to authenticate, which makes the process much easier.
ORIGINAL TEXT BELOW:
Picking the right keys is still a bit more complicated than it should be, and it mostly depends on which tools you’re using and which phone you have. As of this writing, there is not one key that works perfectly for every scenario.
Currently (November 2018), LastPass doesn’t support U2F but does support YubiKey. Apple doesn’t support NFC U2F, but does support YubiKey 5 and YubiKey Neo OTP for LastPass. Newer Macs are USB-C only, which adds complication to the decision.
If you are using iOS or Android, Google, and LastPass, and have a USB-A device or are OK with using an adapter on your USB-C computer:
YubiKey5: https://www.yubico.com/product/yubikey-5-nfc/#yubikey-5-nfc
Feitian Multipass FIDO: https://shop.ftsafe.us/collections/fido/products/k16
If you are using iOS or Android, Google, but NOT LastPass, and have a USB-A device or are OK with using an adapter on your USB-C computer:
Feitian NFC FIDO: https://www.amazon.com/Feitian-ePass-NFC-FIDO-Security/dp/B01M1R5LRD/
Feitian Multipass FIDO: https://shop.ftsafe.us/collections/fido/products/k16
If you are using iOS or Android, Google, and have a USB-C computer:
YubiKey 5C: https://www.yubico.com/product/yubikey-5c/#yubikey-5c (Not currently available on Amazon)
Feitian Multipass FIDO: https://shop.ftsafe.us/collections/fido/products/k16
You will have to use Google Authenticator or also buy a YubiKey Neo if you use LastPass in this configuration.
The Google Titan set is now available. They are functionally identical to the Feitian NFC FIDO and Feitian Multipass FIDO, though the chips are Google manufactured. They include a USB-A to USB-C adapter. You can pick them up here: https://store.google.com/product/titan_security_key_kit
How Many Keys Do I Need?
You need at least two keys: one primary, and one secondary you store in a separate place. Below I describe how I carry my primary key with me, but that’s not necessarily a requirement depending on your use case.
Note you do not need to buy separate keys for each site: each key works with many sites (though not every key protocol works with every site, as outlined above). While it’s not a best practice, you can share your backup key with someone else if you wish. Do be aware of the risks of letting someone else have a key for your accounts though. But if you want to save a small bit of money, a family could share one key for backups while the individuals each have their own primary key.
Do I need to keep my security keys with me at all times?
It depends on the service, but generally no. With most services, once you use the key with the device, you stay authenticated either until you logout/clear cache, or for 30 days. Some services may require you to authenticate more frequently, but that is rare.
I carry my main USB key with me on my keychain, but I leave the rest of my keys locked in a safe place I can access if I need them.
I can’t use a Security Key; What can I do instead?
If you don’t go with security keys, it’s still vitally important to move to an app-based authentication instead of text message. Text messages can be intercepted, and SIM cards can be hijacked. While texts are better than nothing at all, it is imperative that you add a more secure second factor to your accounts and remove the cellphone backup; more on that below.
Google Authenticator is available from the Apple App Store and comes natively on Android phones. These apps scan a QR code containing an algorithm and generate a 6-digit one-time password every minute. Since the algorithm and key are only stored on the server and phone, the server knows the expected 6-digit response and it’s connected to the universal clock to ensure the two are in sync (though if your phone has a weird issue with the time, it won’t work).
Authenticator on the Apple App Store:
https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
Authenticator on Google Play Store:
Should I use the text message backup?
If it’s an option to not use it while using a more robust two-factor option, you should not enable the text message backup. Your security is only as good as the weakest link. When you enable text message backup for your devices, it just means that a malicious actor will use the weak mechanism instead of your strong mechanism. Text message backup is the Ardennes Forest; if you leave it undefended, your enemy will waltz right through ignoring your fortifications. Some sites require you to use text message backup, and on some sites text message is the only two-factor option. More on that below.
What about the Google Prompt/Duo Prompt/Push based Two-Factor?
I feel fairly strongly that two-factor requests not initiated by the user are inherently insecure. My reasoning for this comes from my background designing software products.
With prompt based two-factor, you “train” the user to hit yes when they see the prompt. Most users will start to react to the prompt without thinking, because it becomes part of their workflow. However, because there’s generally an inherent “trust” in the machine, when a user receives a prompt from a malicious entry attempt, you’ve spent the entire time using the app to learn different behavior than is required at that exact moment. While these are unlikely to be intercepted, this still creates a bad user experience and with that a bad security experience. A user who enters credentials on a phishing site and immediately gets a two-factor prompt is likely going to approve the two-factor request because they don’t yet realize they’ve been phished.
What happens if I lose my key or my device and I don’t have text message backup?
Well, that depends. First, it’s important to remember these keys are a lot like your house keys. They’re about the same size, and if you lose those you’re in a bit of a pickle too. Your risk is about the same; and if you frequently lose your house keys or always keep your doors unlocked, that’s a separate conversation to have with yourself.
Many services, they don’t do two-factor resets at all. If you’re out, you’re out. This is especially the case with password managers and other tools that handle hypersensitive data. What they will do is let you generate backup codes, and you can store those printed in a safe place.
Google Advanced Protection on GMail takes a different tack. If you are locked out, it will hold your account for 72 hours, and notify every device you’ve connected with that someone is trying to reset for access. That way you can still get to your email, but it’s a slog and that will deter most criminals and give you the opportunity to intervene if someone manages to steal a credential from you.
I’m on a site where text message is the only two-factor option, or I have to enter a backup phone number to use two-factor. Should I still do it?
Yes, but I’d recommend an extra step. Set up a Google Voice number connected to a Google account you have Advanced Protection on. While this won’t protect you from someone intercepting the unencrypted text in transit or protect you from the two-factor code being phished, it will protect you against a SIM swap attack if you use the Google Voice app and don’t have the texts relay to your regular number. That way, even if someone does steal your phone number, your online accounts are still somewhat protected.
OK, I have my security keys. Where do I go to enable them, and what settings should I use for maximum security?
Mazel Tov! I’m going to link to the setup pages of some popular sites below that support security keys, and where appropriate will recommend settings. This is all up to date as of November 2018.
GMail: Turn on Advanced Protection: http://landing.google.com/advancedprotection
GSuite (User): https://myaccount.google.com/u/0/security (make sure you switch to the account you specifically want to configure the key for, which may change the 0 in the URL stub above to another value). Select “Two-Factor Authentication. Strongly recommend disabling the text message backup and other options if you are switching to keys.
GSuite (Administrators): This guide from Google walks through configuring your GSuite domain to have features that match Advanced Protection. At present it’s not as straightforward as the consumer product, but it’s still easy to configure. https://docs.google.com/document/d/1dSDkcfMFtpXAfmDKkpLrPc2uYNoonY9v61CZluoDhLE/preview
