Centralized Identity as a Boon and Blockage
As someone who works in security and is interested in end-user experience, I’ve been extremely vocal about my usage of a Yubikey. “Sure,” I’d say, “The introductory experience isn’t exactly great, but they’re the only current way to ensure that your second-factor is actually with you at any point.” Generally, I’d been accepting of the criticisms aimed at the problems with using public key cryptography to manage identity on the key (as well as the fact that the revision of the key which I purchased in 2017 only holds a 2048-bit RSA key, which is not as secure as I would like these days). I was overall dismissive of the criticisms of the form factor. “How likely are you to lose your keys?” I thought.
Until I thought I lost my keys.
As my wife and I were leaving a function she had been gracious enough to drive me to, I realized that my keys were not in my pocket. Thinking back, I wasn’t sure when I had last held them in my hands (aside from a dozen or so hours before, as I drove myself to the train station). This wasn’t good. Had I left them in class? Had I dropped them on the way to or from campus? Were they simply on my desk? I had literally no clue.
Mind you — losing my keys is not a huge deal. We can change locks at the house easily; I have a backup car key; my office was unlocked and would be trivial to request to get re-keyed. I was not worried about the physical keys in the slightest. I was, however, having a mild panic attack about the digital keys housed on my Yubikey.
The Yubikey stores quite literally every bit of my digital life in it. It unlocks my password store. It houses my GPG identity. It’s my second-factor for logging into both work and Georgia Tech’s systems (as well as Github, Gmail, and a few other sites). I had the sudden realization that if I lose this key, there’s absolutely no going back. I will have to revoke my GPG key (using a cd stored securely in a safe at my job), which will invalidate my password store and my SSH key and while some of the mentioned websites will fail over to my phone, I don’t have another second factor for a few others. The entirety of my digital self is keyed on this device.
The convenience that I once praised now turned into — quite literally — abject terror. I could reasonably rely on the security of the device to deter anyone with the technology know-how from blind guessing my PIN (the Yubikey Neo locks itself down after three failed login attempts). I knew that. I had deeply considered the problems of theft, but I had not yet fully considered the ramifications of simple loss.
They were scary.
Thankfully, the Yubikey was sitting safe and sound on my desk at work. I retrieved it without incident the next morning. However, I got to thinking. I have essentially requested the context collapse that has occurred with this device. I prefer it, honestly. I feel that who I am at work and who I am personally are one and the same and I don’t mind that my GPG key follows me around between both locations. When buying and setting up the Yubikey, I didn’t consider the “key to the castle” problem deeply enough. Nor did I consider how tightly I would need to watch my physical key once I’d come to rely upon it.
By giving myself one identity and one key to that identity, I have drastically increased the importance of a single device. Sure there are numerous different algorithms surrounding my daily utilization of this key — but that naive viewpoint doesn’t take into account that by having only one entrance point into your identity for attackers you only give yourself one entry point into your own identity as the identity owner.
This mindset invites questions about the validity of centralized identity-management processes and tools. Tools like Single Sign On providers (Facebook and Google are two of the large ones now) mean that it’s simple to centralize your identity around one persona online, but by doing so make it theoretically simpler to compromise that identity. By compromising one social media account, you can effectively cripple a person’s access to the rest of their online identity. Simply by changing their Facebook password.
The very same things that make a Yubikey difficult for attackers to get a hold of and hack are the things that make keeping one with you painful. A physical token is, as I experienced, easy to misplace. Even simple theft or destruction of the token can cause a huge upheaval to the user’s digital life — an IRL DOS attack.
I still believe in mine. I still believe that physical second factors are the future.
But I might go ahead and make a backup copy of that revocation certificate. Just to have one at work…and one at home.
Just to be safe…
