Getting fed up noticing daily brute force attacks in the server logs I decided to upper the game and implement two factor authentication (2FA) in the blog login page, this way even if a trojan horse in my PC captures the long random password nobody will be able to break in.
The most common choice for two factor authentication is Google Authenticator, or a compatible mobile app like LastPass Authenticator or Authy. The problem I had with them is that I carry my mobile phone with me everywhere and I was afraid of losing it, together with the matter of mobile apps wasting time requiring you to enter a long random number in the login page. For those reasons, I decided that a hardware token authentication was preferable and I bought a Yubikey Edge and a Yubikey Neo.
The main difference in between the Yubikey Neo and the Edge is that Neo has NFC and it can be used with a smartphone or tablet that supports NFC, usually high end models, without the need for any USB port.
Yubikey Neo and Edge
Something to remember is that Yubikeys only work with the Chrome browser, Mozilla Firefox intends to add U2F support in the future but this has not been done yet.
Fortunately there is a Firefox addon called “U2F Support Add-on” that has been reviewed by the Mozilla team to make sure that it doesn’t have security complications and it works. I also use the Yubikey with Vivaldi, a Chrome based browser and it also works, this way I can avoid a pure Chrome browser loaded with Google spyware.
Before buying the tokens I researched on Yubico’s website what online services I could use the Yubikeys with, that was my first mistake. Trusting everything a manufacturer says when they are trying to sell a product is not clever.
Yubico lists self-hosted WordPress blogs as “supported“, after buying the Yubikey I found out that the plugin for WordPress is not developed by Yubico, it has been coded by an individual and it has not been updated for over two years, it rightly comes up flagged with a security warning in the WordPress plugin directory.
Will I expose my website’s security to a plugin not updated for the last 2 years that looks like abandonware? Sure not and I think that anybody who cares about their WordPress blog wellbeing should not use a Yubikey until a company or somebody reliable officially updates and supports the necessary plugin.
The second account I wanted to use the Yubikey with is my Google Account, again a problem comes up. I have no idea why it happened but facts are facts and after setting up the Yubikey with my Google Account and using it a couple of times it suddenly stopped working.
I attempted to make it work with a Chrome based browser (Vivaldi) and Firefox, I confirmed that my Yubikey was fine by going to Yubico’s demo page. For whatever reason my Google Account doesnt like the Yubikey, although officialy Google supports Universal Two Factor authentication tokens the Yubikey will not show up in the log in page anymore.
The third account I wanted to secure with the Yubikey is my Fastmail account, another unexpected obstacle I did not count on. It was remarkably painless for me to add the Yubikey to Fastmail, but then I found out that having a Yubikey added in Fastmail does not disable single factor authentication, all it does is to give you the choice to use a Yubikey to login into your email account from a public computer without having to worry about the password being stolen.
Yubikeys with Fastmail will not stop brute force attacks of your main username, and if anybody steals your login masterpassword you will lose your account. For me the whole point of setting up 2FA is making it impossible for others to access the account without the key and the password together, and Fastmail can not do that.
Yubikey Edge and Yubikey Nano with NFC
Yet more dissapointments trying to set up my Yubikey with Evernote, Yubico lists it as supported but I find out that that for it to work you have to install the Yubico Authenticator Desktop application and configure it with Evernote. It is not complicated but it means software has to be installed into your computer and time spent which defeats some of the purposes of using a hardware token for authentication, like simplicity.
Another problem, Dashlane is listed as one of the password managers supporting Yubikey to login, but only for a price, you can only enable a Yubikey with Dashlane if you have a paid account. Perhaps Yubico should have mentioned this on their page of supported services.
Conclusion Yubikey review
I am entirely out of love with the Yubikey, a few of the problems I had were not Yubikey’s fault, like Dashlane charging you money for the privilege of securing your account with it, but other problems like the outdated plugin for WordPress I feel it is partly Yubico’s responsability. They should have some kind of agreement or a developer to make sure that the most popular services work with the Yubikey and do not look like abandoned projects.
The commendations for the Yubikey are that it is sturdy, it needs no battery and I had zero problems about drivers, but until it works for real in major websites I am not going to recommend it to any of my friends and I would not trust any of the supported services listed on Yubico’s site. If you plan on using a Yubikey on a certain service, visit that page and get the information directly from them instead of Yubico.
Promising project, too bad it can’t be used as intended anywhere meaningful.
Larry
I can’t understand why, if a person is concerned enough about privacy to use 2-factor authentication, one would even consider using any Google service at all…
hacker10
Hello Larry,
You are 100% correct, it revolts my stomach that I have an account with Google and allowing them to watch my every move, but that is the only way I have to earn money with this blog.
The other advertisement networks I looked into pay far lower.
hacker10
MrSage
Nice review….I am using my yubikey neo with last pass and love it. I also use it to log into my PC’s. There is also a cool app that allows you to have secured notes. One of the first things I did with the neo was setup the WordPress plugin and realized it was sketchy as hell so I removed it.
plutarch
This indeed is an interesting read for me. I have the neo, but solely for the local use like encryption or 2FA to a few of my devices. It’s pretty good there, so the next step of 2FA with public services seemed obvious. I do rethink now. Thanks!
hacker10
Hello plutarch,
Thanks for your comment, this is how things were for me, I don´t have any grudge against the Yubikey other than wishing I had known before that the list of services that they advertise in their page as working with the Yubikey is not supported by them, and will not always work. Another thing they don´t tell you is that you need the Chrome browser, and I am a Firefox user.
Since you already have a Neo you can try this out for yourself without having to buy a second key.
As of this moment, after spending money on two Yubikeys, I am only using it online in a single place because it doesn´t work anywhere else I visit.
hacker10
Curious
Hey Hacker10. Any thoughts on the recent move from Yubico concerning open-source to proprietary?
https://www.yubico.com/2016/05/secure-hardware-vs-open-source/
hacker10
Hello,
Well it is too late for me, I already have the key, what do you want me to do?
I would not buy it even if open source because as explained in the post Yubikey works in very few services and Yubico can’t be bothered to develop plugins for widely used services.
If you want a U2F certified security key that is open source look at the Nitrokey.
Jo
Any recommendations for a alternative for the yubikey esspecially for iPhone/ipad users
Thanks and good site I’m definitely going for the chrome based alternatives
Never knew there where so many alternatives 🙂
Jo
So what is left …
Im in the same boat and looking for a solid alternative to authy
Any advice ?
It’s beeing used on several iDevices and one base (iMac)
Keep up the good work
Love your site
Jeff Brixhamite
Google Authenticator is a good choice over using an SMS based solution (SMS is much easier to bypass). Hardware tokens are more self-contained, and Fido keys help protect against phishing attacks, but provided your mobile isn’t hacked this is still a stronger option than SMS.