Finally I can Forget My Password! YubiKey!
In the beginning there were passwords. Security! Security! YubiKey! At last I can forget my password. WebAuthn and Yubico are two examples of products that have changed the way we authenticate, sign, and login. For me, this is amazing and about time! I have been complaining about passwords for years. It is almost impossible for me to think of one and once I get a strong password, I forget it and/or have to make up to yet another one for the same account or another Application (App) respectively. Then I am always forgetting my password and having to make up a new one. This tireless process occurs again and again. I was wondering when some Tech Geek would figure out how to make something secure without making us sign up yet another account with a new password. Thank you and Bravo to anyone who contributed to this process. I am personally grateful to all of you. Well at least for the duration of this introduction.
There is also a new problem to solve! While WebAuthn and Yubico solve a portion of the internet authentication and security measures issues, they are not made for the new technological breakthrough, cryptocurrency. Enter BlockOne. BlockOne is working on a blockchain friendly YubiKey. They have a new, experimental YubiKey that should work for both the internet and blockchain systems.
Disclaimer: This is not financial or legal advice and no product mentioned or not is endorsed by this article. This article serves to vent my frustrations and hopes for a “no password secure login solution” to Apps and devices alike, but for the reader, which is more important, it serves as an introduction to YubiKey as a concept. What is a YubiKey, how does it work, what are the pros and cons, and can it solve the username and password login problem?
Secure Authentication Without Passwords
So what exactly is a YubiKey? It can be thought of as a hardware Private Key, or type of Cold Storage Wallet, for the standard internet. This hardware device looks similar to, but way slimmer than, a USB and plugs straight into the computer. So a USB on a good weight loss program LOL. I guess there is still a call for slimmer to be better LOL.
When you open a site that needs authentication, you are prompted to plug in and/or activate the YubiKey. You then install and tap, where applicable, your YubiKey in order to activate it.
Spoiler Alert! This is instead of just using a password. In other words you still need a username and password after all :(. This type of authentication is very secure and has not been hacked according to Yubico, a company that produces YubiKeys.
How Does YubiKey Actually Work?
How does a YubiKey work? Once you have setup your YubiKey in an application and have entered your password, you either just insert your YubiKey or insert and tap it. Then the cryptographic authentication process is activated and you are in your account.
You do not have to understand how a YubiKey works. This is because all the cryptographic authentication happens in the background. All you have to do is make sure that you look after the YubiKey and insert and/or tap it at the appropriate times, usually when you login to some App.
Disclaimer: there was only 1 site offering an explanation of how the YubiKey works under the hood as Ivan on Tech would say it LOL. So I hope I understood the explanation correctly and am giving it over accurately because I cannot verify this explanation. Spoiler coming below.
Using YubiKey after Setup
Let’s go from the simple to the more complicated. First, for completeness sake and to get you lulled into thinking that this is easy to understand, I will reiterate the 2 steps that you need to do once you have linked your YubiKey to the App or device that you want to secure. Second the 3 steps that happen when you actually setup your YubiKey. Third what happens inside the YubiKey on set up, that is step 3 of the setup process. This last step has 2 parts to it. Hopefully I will break it down in a simple enough manner for most of you to follow, whether you are technically minded or not. The only concepts that might need further explanation are Public and Private Keys.
Usage Step 1:
Put in your username and password. I kid you not! Sorry to disappoint myself :(! You still need a username and password. 2 Factor Authentication (2FA) will be dealt with below, but for now, just go with the flow.
Usage Step 2:
Insert and/or push your YubiKey to authenticate. Now you are authorized. Your account is unlocked and you are in.
Ok, so not complicated at all, right? Wrong. Let’s look at the complicated operations that are necessary when you setup a YubiKey.
Setup Step 1:
You insert the YubiKey and choose an application that has 2FA with YubiKey as an option, like Google or Facebook.
Setup Step 2:
Login with your regular username and password. So far so good.
Setup Step 3:
Choose 2FA and link the account with the YubiKey. The later part might be easier said than done as research shows. However at least Google seems simple enough and with the researcher’s advice, you might get Facebook to work properly. This complicated linking process is an obvious con.
If you properly link your YubiKey more likely with, or if you are lucky without, help, you will set off the following process. Warning it gets technical. You can skip this section if you want, but it is fascinating if you can follow it and it will help you understand YubiKeys better and thereby be better off. So, hold onto your YubiKey LOL, take a deep breath, and here goes.
Inside the YubiKey in Step 3 Above
I have broken this into 2 parts. Hopefully this will increase your understanding of the process. If not, sorry, but it would not matter then if it was all explained together or not LOL.
Part 1:
The YubiKey generates a random Private and Public Key. The Private Key never leaves the physical YubiKey and cannot be hacked. While the Public Key gets sent to a server.
In addition to the Public Key, a Nonce will be sent. This Nonce is the random number that the YubiKey picked in order to generate the Private and Public Key. It also sends a Checksum. A Checksum is a number that identifies that specific YubiKey. These are all cryptographically encoded and sent to the server.
Part 2:
This is where it gets really technical. You might have to re-read this section and that is great because I get 2 views for 1 article LOL. Seriously, you should be able to follow this if you followed the first part.
Then, when you return to the site and type in your username and password, followed by inserting and, if applicable, tapping the YubiKey, the server sends that same Nonce and Checksum plus a new, different number back to your YubiKey.
Your YubiKey then generates a new Private Key. Each YubiKey uses a different secret for this key generation process ensuring that only this YubiKey will work.
Then the YubiKey signs the new number with the Private Key and sends the result to the server. Then the server unlocks it with your Public Key sent to the server as explained in Part 1. This then allows you access to your account.
In addition there are YubiKeys with 2 layers of protection. The first being this cryptographic process. The second is a button or sensor on the YubiKey that needs to be pushed or to tap against a device. The latter means that only a human can be signing in.
2FA
Voila, and there we have it! A YubiKey can be used for the second of a 2FA system! So indeed you do need your username and password and need to remember your password! So I guess it is back to the old drawing board as Coyote says after his demise.
So let’s get back to 2FA. I said I would skip it even though it might make the flow of the article better, it is the part that answers the question of still needing the username and password, so I did not want it to come too high up in the article :).
2FA is the use of 2 of the following 3 types of authentication methods. Type 1 is something you know, for instance your username and password. Type 2 is something you have, the YubiKey is the example I am using in this article (sorry to state the obvious). Type 3 is something you are, for example your fingerprint.
Simply put, a username/password and then activation of a YubiKey is analogous to a credit or debit card with a pin code. The card itself is something you own, therefore it is 1 type of authentication. A pin code is something you know and therefore it is another type of authentication. To be clearer then, the username/password is the something you know and the YubiKey is something you own. It turns out that if you have a credit or debit card with a pin, then you have been using 2FA for years without knowing what it means or how it works! Now you know the terms and categories the terms fit into and an understanding of why it is more secure. Extra bonus for reading this article!
Or Is that All?
There is a YubiKey that can complete 2 functions, namely, providing the second method for a 2FA system and providing static passwords. It is not really clear whether you can use the static password for all sites you need to login to or not, but you can use it for the paid version of LastPass. So maybe I do not have to remember my password after all. If I have a LastPass account, I can use my YubiKey as a password “inserter”. Simply and concisely, you hold your YubiKey for longer than 2 seconds and it puts the password into the password textbox and you are in without having to remember your password. Is this as safe as 2FA? Probably not.
A quick aside. It seems that not many other sites support the YubiKey as an only authentication method as I understand. There is a way to make a static password “stretch” to all Apps though. See the link above on static passwords for instructions on how to do this.
However if I can access my LastPass account with my YubiKey, then maybe I am password free because I can just rely on my LastPass to log me into the rest of my accounts and take care of my strong passwords for each site. That is as long as nothing happens to my YubiKey and I maintain ownership of the it. If I no longer have it, I will have to gain access to my account using a second 2FA method and remove the stolen, lost, or otherwise misplaced YubiKey and either install a new 1 or choose a different 2FA method that suits my needs better.
So, maybe I never have to remember a password again. The only con to using something like LastPass is if there is a security compromise to the site. Then I would have to change my password(s) appropriately. So it is not as secure as using the YubiKey for each site and remembering the password for each site, Coyote is still not completely out of the picture.
Cons
Let’s deal with the cons first. There seem to be a lot of cons, but I still think this might be a great idea for me. I know it suits the needs of many people and is very popular in companies. So do not let the cons scare you. You have to weigh them up against the pros.
The layout for a YubiKey(s) is quiet expensive. In addition you would probably have to purchase multiple YubiKeys.
Hardware authentication standards are evolving constantly leading to compatibility issues. In order to keep up with the changes, you might have to buy new models on a regular basis. Leading to further costs incurred.
Unlike a password, you cannot forget the authentication inside the YubiKey, but you can loose, misplace, or forget to take your YubiKey. It could also be stolen with or without your laptop and/or cell phone. In case any of these things happen there is a backup way into your accounts. You should enter all your accounts that have the Yubikey, change your passwords and remove the YubiKey if any of these things happen, except of course if you find it. Note you would also still need to change any passwords even if you do not have a YubiKey linked to them. This goes back to our credit/debit card analogy. So you do not gain much on this level.
Another con is that the process of setting up a YubiKey as a 2FA method on a number of websites is very complex. Further if you do it wrong, you might not know it. You also might have to download further fixes to fix certain issues you created by actually following the instructions on how to set up your YubiKey with the App you are trying to set up. All this makes setting up a YubiKey rather cumbersome and undesirable. However if you can either get someone to help you or get it right, this might offset the cost of setting up. In addition once you have completed the process once, you will probably be able to avoid all these pitfalls and get the convenience sooner with less frustration.
There are probably more cons, but the final 1 for this article is that a YubiKey is not offered as a 2FA method for a lot of sites. Although I have mentioned this, it is worth re-mentioning because once installed, it might be something that you do not want to do without.
Pros
Once installed once, the YubiKey is simpler to install in other Apps and on other devices. Once installed it is also simple to use.
Most importantly having a YubiKey is a secure 2FA method. It seems logical that it is at least more secure than e-mail and sms. However, if you lose your YubiKey, it gets stolen, or misplaced, you might have to rely on 1 of these 2 less secure backups to remove and replace your YubiKey with a new one. On the up side there is a backup recovery if you no longer have the YubiKey you setup.
It is light, thin, and can be put on a key ring for convenience. This makes it rather practical. Especially if the YubiKey is for work purposes or for an account you want to secure on the go.
Once you have laid out the expense, you can relax more knowing even if your password is compromised, that you have an extra layer of authentication to help ensure your accounts do not get hacked. You would have to pay attention and change passwords, but the account is safer and unlikely to get hacked into.
The Apps that allow you to setup multiple YubiKeys would allow you the advantage of sharing the account with family or mandatory shares with bosses at work. It would also allow you to backup your YubiKey in case you lose it. Then you would only have to uninstall the 1 you lose and at a more convenient time setup a replacement.
Again this is not an exhaustive list of pros. However it should be clear that the security benefits gained seem to outweigh the losses. As long as it works for you and your lifestyle and personality. This is unless you have to use it for banking or work purposes, in which case at least the inconvenience is as marginal as it can be for a hardware security system.
Summary
A YubiKey is simply a hardware device that looks similar to a USB and holds a Private Key and some also hold a static password. The Private Key and password are held in the USB-like, hardware device and cannot be reached by the computer. It only sends out its Private Key and password when it is put in the computer, tapped, and/or the button is pressed on the YubiKey. This ensures that it is almost impossible to hack and makes it very secure.
2FA is any combination of 3 factors, namely, what you know, what you have, and/or what you are. A credit/debit card with a pin is a good example of 2FA that you already know and use. Similar to a credit/debit card and pin, the username/password combined with a YubiKey is another good example of 2FA and is the focus of this article LOL.
While YubiKey is one of the most secure authentication methods, it still has a long way to go in terms of user friendliness. It may still be worth the hassle of setting up a YubiKey for Apps and devices in order to enjoy the convenience and security it offers. Also the convenience might outweigh the 1 time outlay.
It seems that the good old username and password are not going away in a hurry :(. Usernames and passwords have stood the test of time and with a strong password have been proven to be effective against hacks. However it is always advisable to have a 2FA system. This is easier said than done with a YubiKey because firstly it is cumbersome, at best, to setup and secondly it is not available on a number of sites that require login.
With the expense of a YubiKey, incompatibility issues, compromises to sites, and the ability to lose your YubiKey, it might seem daunting to own and use a YubiKey. It really depends on a person’s personality, lifestyle, and job, whether a YubiKey is the best option for you.
If you are a Tech Geek, please keep hacking away (LOL) at replacing usernames and passwords on the internet and devices. They are safe, but difficult to remember and require re-setting over and over again, at least for me. Thank you.
