Anyone using yubikey, smart card or other hardware device for MFA?
-
@CCWTech @pchiodo and I were discussing this just this week. @CCWTech got a classic RSA key from his bank and we were talking about what a total joke it was. It's this bulky key you have to carry around and the security on it is a joke. It shows the key at all times and is super visible. You can't hide it, you can't secure it.
Using Authy, OneAuth or Authenticator you have all this heavy security protecting access to the app, it's in a convenient place on a device that you have with you anyway, and it's only visible when you want it to be visible. And it's on a device you know if you've lost. Rather than being a key you can go months without using, easily misplace, and if someone stole it you'd likely not know for months.
The degree to which these MFA keys are often vastly less secure than 'free', already existing, much more convenient solutions is significant.
I like Authy best because it's free, works on my phone AND on my watch. I like Zoho OneAuth second best because it integrates with everything else that I do.
-
@Pete-S said in Anyone using yubikey, smart card or other hardware device for MFA?:
And if it makes MFA more secure or not. I guess it should.
SO much less.
-
@scottalanmiller said in Anyone using yubikey, smart card or other hardware device for MFA?:
@CCWTech @pchiodo and I were discussing this just this week. @CCWTech got a classic RSA key from his bank and we were talking about what a total joke it was. It's this bulky key you have to carry around and the security on it is a joke. It shows the key at all times and is super visible. You can't hide it, you can't secure it.
Using Authy, OneAuth or Authenticator you have all this heavy security protecting access to the app, it's in a convenient place on a device that you have with you anyway, and it's only visible when you want it to be visible. And it's on a device you know if you've lost. Rather than being a key you can go months without using, easily misplace, and if someone stole it you'd likely not know for months.
(Using Authy for the last 3 years)
I have thought this for a while now but felt I was wrong somehow. With the articles I have read over the last few years it seems most point to physical hardware based tokens are more secure.
I have limited knowledge in this area, so, what the heck am I missing? Does yubikey provide better security than Authy????
-
@pmoncho said in Anyone using yubikey, smart card or other hardware device for MFA?:
@scottalanmiller said in Anyone using yubikey, smart card or other hardware device for MFA?:
@CCWTech @pchiodo and I were discussing this just this week. @CCWTech got a classic RSA key from his bank and we were talking about what a total joke it was. It's this bulky key you have to carry around and the security on it is a joke. It shows the key at all times and is super visible. You can't hide it, you can't secure it.
Using Authy, OneAuth or Authenticator you have all this heavy security protecting access to the app, it's in a convenient place on a device that you have with you anyway, and it's only visible when you want it to be visible. And it's on a device you know if you've lost. Rather than being a key you can go months without using, easily misplace, and if someone stole it you'd likely not know for months.
(Using Authy for the last 3 years)
I have thought this for a while now but felt I was wrong somehow. With the articles I have read over the last few years it seems most point to physical hardware based tokens are more secure.
I have limited knowledge in this area, so, what the heck am I missing? Does yubikey provide better security than Authy????
I did some research now and one obvious difference is that yubikey can't be phished.
Authy uses a OTP, same as Google Authenticator and many others and a user can be tricked into entering their credentials and their OTP into a fake website. The attacker then uses that information within seconds on the real website and has now gained access.
Since yubikey is a physical device it can't be phished, because the attacker doesn't have the physical device.
Another thing is that even if someone has gained remote access to your desktop/phone, the yubikey device can't be used to authenticate - even if it's plugged in. The user has to press a physical button on it.
That's what I've gathered so far. And that Cloudflare swears by them.
On wikipedia it also says that Google, Amazon, Microsoft, Twitter, and Facebook uses yubikeys to secure employee accounts.
-
@Pete-S said in Anyone using yubikey, smart card or other hardware device for MFA?:
I did some research now and one obvious difference is that yubikey can't be phished.
I am sure they can. All the attacker needs is to be MitM to get the approved session information. It is not like your Yubikey is communication non stop with the website you used it to authenticate.
-
@JaredBusch said in Anyone using yubikey, smart card or other hardware device for MFA?:
@Pete-S said in Anyone using yubikey, smart card or other hardware device for MFA?:
I did some research now and one obvious difference is that yubikey can't be phished.
I am sure they can. All the attacker needs is to be MitM to get the approved session information. It is not like your Yubikey is communication non stop with the website you used it to authenticate.
OK, let me rephrase that then. The yubikey MFA can't be phished. Doesn't mean that the website or browser or traffic between them can't be hacked in other ways. The yubikey can also be stolen from you.
-
@Pete-S said in Anyone using yubikey, smart card or other hardware device for MFA?:
The yubikey MFA can't be phished.
And this is no different than my use of Authy and MS Authenticator not able to be phished.
Sure a MitM can get it. There are known exploits for O365 accounts that do this.
But it is as secure as a hardware key for day to use usage. Sure, if someone else knows the seed (alomst always shown when signing up) you used for the TOTP, they can also get a valid code, so I would never say it is as totally secure as a Yubikey.
-
@JaredBusch said in Anyone using yubikey, smart card or other hardware device for MFA?:
@Pete-S said in Anyone using yubikey, smart card or other hardware device for MFA?:
The yubikey MFA can't be phished.
And this is no different than my use of Authy and MS Authenticator not able to be phished.
Sure a MitM can get it. There are known exploits for O365 accounts that do this.
But it is as secure as a hardware key for day to use usage. Sure, if someone else knows the seed (alomst always shown when signing up) you used for the TOTP, they can also get a valid code, so I would never say it is as totally secure as a Yubikey.
No, as I understand it it's quite different. There is traditional MFA methods (like Authy) and then there is phishing resistant MFA (like yubikey). I don't understand all the details yet though.
You can read more about it here where Okta has an overview of all the different methods they support:
https://www.okta.com/blog/2022/10/the-need-for-phishing-resistant-multi-factor-authentication/Just a few month ago there was an executive order for government to move to phishing resistant MFA.
Here is an overview on MFA by CISA (Cybersecurity & Infrastructure Security Agency):
https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf -
@Pete-S I have used it for DUo and Office 365 and works well. It makes it so much easier for users that refuse to have a mobile or digital device.
-
@dbeato said in Anyone using yubikey, smart card or other hardware device for MFA?:
@Pete-S I have used it for DUo and Office 365 and works well. It makes it so much easier for users that refuse to have a mobile or digital device.
That sounds good. I think I'll order a pair of keys to try it myself.