Hacker 10 – Security Hacker

Tag: YubiKey review

  • Review Yubikey two factor authenticaion (2FA)

    Review Yubikey two factor authenticaion (2FA)

    Getting fed up noticing daily brute force attacks in the server logs I decided to upper the game and implement two factor authentication (2FA) in the blog login page, this way even if a trojan horse in my PC captures the long random password nobody will be able to break in.

    The most common choice for two factor authentication is Google Authenticator, or a compatible mobile app like LastPass Authenticator or Authy. The problem I had with them is that I carry my mobile phone with me everywhere and I was afraid of losing it, together with the matter of mobile apps wasting time requiring you to enter a long random number in the login page. For those reasons, I decided that a hardware token authentication was preferable and I bought a Yubikey Edge and a Yubikey Neo.

    The main difference in between the Yubikey Neo and the Edge is that Neo has NFC and it can be used with a smartphone or tablet that supports NFC, usually high end models, without the need for any USB port.

    Yubikey Neo and Edge
    Yubikey Neo and Edge

    Something to remember is that Yubikeys only work with the Chrome browser, Mozilla Firefox intends to add U2F support in the future but this has not been done yet.

    Fortunately there is a Firefox addon called “U2F Support Add-on” that has been reviewed by the Mozilla team to make sure that it doesn’t have security complications and it works. I also use the Yubikey with Vivaldi, a Chrome based browser and it also works, this way I can avoid a pure Chrome browser loaded with Google spyware.

    Before buying the tokens I researched on Yubico’s website what online services I could use the Yubikeys with, that was my first mistake. Trusting everything  a manufacturer says when they are trying to sell a product is not clever.

    Yubico lists self-hosted WordPress blogs as “supported“, after buying the Yubikey I found out that the plugin for WordPress is not developed by Yubico, it has been coded by an individual and it has not been updated for over two years, it rightly comes up flagged with a security warning in the WordPress plugin directory.

    Will I expose my website’s security to a plugin not updated for the last 2 years that looks like abandonware? Sure not and I think that anybody who cares about their WordPress blog wellbeing should not use a Yubikey until a company or somebody reliable officially updates and supports the necessary plugin.

    The second account I wanted to use the Yubikey with is my Google Account, again a problem comes up. I have no idea why it happened but facts are facts and after setting up the Yubikey with my Google Account and using it a couple of times it suddenly stopped working.

    I attempted to make it work with a Chrome based browser (Vivaldi) and Firefox, I confirmed that my Yubikey was fine by going to Yubico’s demo page. For whatever reason my Google Account doesnt like the Yubikey, although officialy Google supports Universal Two Factor authentication tokens the Yubikey will not show up in the log in page anymore.

    The third account I wanted to secure with the Yubikey is my Fastmail account, another unexpected obstacle I did not count on. It was remarkably painless for me to add the Yubikey to Fastmail, but then I found out that having a Yubikey added in Fastmail does not disable single factor authentication, all it does is to give you the choice to use a Yubikey to login into your email account from a public computer without having to worry about the password being stolen.

    Yubikeys with Fastmail will not stop brute force attacks of your main username, and if anybody steals your login masterpassword you will lose your account. For me the whole point of setting up 2FA is making it impossible for others to access the account without the key and the password together, and Fastmail can not do that.

    Yubikey Edge and Yubikey Nano with NFC
    Yubikey Edge and Yubikey Nano with NFC

    Yet more dissapointments trying to set up my Yubikey with Evernote, Yubico lists it as supported but I find out that that for it to work you have to install the Yubico Authenticator Desktop application and configure it with Evernote. It is not complicated but it means software has to be installed into your computer and time spent which defeats some of the purposes of using a hardware token for authentication, like simplicity.

    Another problem, Dashlane is listed as one of the password managers supporting Yubikey to login, but only for a price, you can only enable a Yubikey with Dashlane if you have a paid account. Perhaps Yubico should have mentioned this on their page of supported services.

    Conclusion Yubikey review

    I am entirely out of love with the Yubikey, a few of the problems I had were not Yubikey’s fault, like Dashlane charging you money for the privilege of securing your account with it, but other problems like the outdated plugin for WordPress I feel it is partly Yubico’s responsability. They should have some kind of agreement or a developer to make sure that the most popular services work with the Yubikey and do not look like abandoned projects.

    The commendations for the Yubikey are that it is sturdy, it needs no battery and I had zero problems about drivers, but until it works for real in major websites I am not going to recommend it to any of my friends and I would not trust any of the supported services listed on Yubico’s site. If you plan on using a Yubikey on a certain service, visit that page and get the information directly from them instead of Yubico.

    Promising project, too bad it can’t be used as intended anywhere meaningful.

    Visit Yubico homepage

  • Hardware authentication systems: Swekey vs Yubikey

    Hardware authentication systems: Swekey vs Yubikey

    A double authentication login system using a hardware key is the best security system for people who travel and/or use public computers at Internet cafés and libraries, there is no absolute way to secure your personal data and privacy on a computer that isn’t yours, there are too many things that can wrong in a networked computer where you do not have administrator rights, outdated antivirus software, hardware keyloggers, network password sniffers, they are all dangers that could be there and you can not effectively protect against any of them.

    Using a hardware token to login into websites, together with a password, even if someone steals the passcode it will be useless for them, most passwords are stolen remotely without the user knowing about it, with a hardware authentication token you are likely to notice the pass key is missing and can then revoke it.

    Swekey double factor authentication system

    The Swekey is an authentication hardware token in the form of a USB thumbdrive, in order to access a web application such as webmail, Internet forum or online banking you need to have Swekey plugged in first and then enter the correct password for the service, this means that if anyone manages to steal your password they will not be able to login because they will still need to have your Swekey.

    The Swekey is not a regular USB key, it generates One Time Passwords, and it can’t be hacked because the private key that is used to generate the OTP scan not be read (physical protection).

    Swekey is operating system and browser independent, compatible with Windows, MacOS and Linux whether you use the Internet Explorer, Firefox or Opera browsers. For other more obscure operating systems like Solaris and FreeBSD, Swekey should also work if libusb is present.

    SweKey USB hardware token plugged in
    SweKey USB hardware token plugged in

    When you plug in the Swekey into the USB port your user name is automatically filled in and you are automatically logged out when you unplug your hardware token.

    Swekey is integrated in most popular open source projects like Drupal and Joomla, well known Content Management Systems that power community websites. Internet forums powered by vBulletin, phpBB also support it, and so do open source webmail platforms like RoundCube and Squirrel.

    There are specific plugins for Swekey but it can be used with any OpenID compliant web site, the main problem with hardware authentication tokens is that they need to be supported by the website you use, OpenID already has thousands of sites behind it.

    http://www.swekey.com

    Update 2015: Swekey is no longer in business, link erased.

    YubiKey double factor authentication system

    The YubiKey will calculate a new unique passcode each time it is used making it impossible to copy and illegitimately re-use a passcode.

    To use this hardware token you just plug it into a USB port and it will act like a USB keyboard compatible with Windows, MacOS and Linux. YubiKey has one button on it, that when you press it will generate a one time 44 character password.

     

    YubiKey hardware token plugged in
    YubiKey hardware token plugged in

    In order to log into a website you must have the physical Yubikey token plugged into your machine and press the button on it to generate a new One Time Password. The generated one time password and can’t be reused or copied and pasted, this prevents malicious hacking attacks if someone captures your login credential. This hardware authentication system can also be used at OpenID websites with YubiKey support enabled.

    Why use hardware authentication security

    All of these three hardware security tokens are low cost and highly secure USB authentication that I would consider buying if I had to use multiple shared computers, if you only use your home computer for Internet access, having your antivirus and firewall updated daily and configured correctly together with a good online password manager should suffice enough people.

    The most paranoid can add double authentication for an extra layer of security, I can see its utility for home users too, if someone hacks your favourite website database and gets your username and password out of it they will not be able to do anything with the password without the physical hardware authentication token to login.

    These hardware authentication devices all have a way to revoke the key in case you lose it, none of them uses a battery which makes them highly reliable and they all use a random One Time Password to login.

    I could not see any major differences between these three hardware based authentication systems, prices and security are much the same, probably the most important deciding factor when picking one of them is to make sure that the websites you normally visit have support for the specific hardware authentication token of your liking.