USB Security Keys are they a good idea ?

[Abarbarian]

U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers, or client software needed. This method of identification is usually done with a usb device of which there are several providers.
In addition to U2F there are other protocols like OTP , TOTP , OPEN PGP and PIV to name a few. There are devices on the market which can also allow you to use these along with U2F from a single usb device for which you only ever need one password.

The FIDO ALLIANCE has been set up to oversee U2F matters.

https://fidoalliance.org/how-fido-works/

How FIDO Works


The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.

The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.

There as I said several companies marketing U2F only devices and they vary in price. The Yubico one sells for around £18. The cheapest I found on the net which had varying reviews,

https://www.amazon.co.uk/d/USB-Gadg...coding=UTF8&psc=1&refRID=RFABTFAB3XQVGN4VC81C

and it seems to be a rebrand from this company,

https://identity2u.net/product/smartcard-readers/otp-fido-u2f/feitian-epass-fido

Doubtless there are more but they are limited to U2F only which as a standard has some pretty neat features.

U2F Advantages
Strong security — Strong two-factor authentication, using public key crypto that protects against phishing, session hijacking, man-in-the-middle, and malware attacks.

Easy to use — Works out-of-the-box thanks to native support in platforms and browsers (starting with Chrome, and Opera, with Mozilla coming in 2017) enabling instant authentication to any number of services. No codes to type, or drivers to install.

High privacy — Allows users to choose, own, and control their online identity. Each user can also opt to have multiple identities, including anonymous (no personal information associated with the identity). A U2F device generates a new pair of keys for every service, and only the service stores the public key. With this approach, no secrets are shared between service providers, and even low-cost U2F devices can support any number of services.

There are devices on the market that will do so much more like the market leader at the moment YUBICO which works on Windows, Mac and Linux.

https://www.yubico.com/support/partners/#

https://www.yubico.com/products/why-yubikey-wins/

For Individuals
Sign in to your personal Windows 7, 8, and 10 computer with the tap of your YubiKey. Set up includes installing a small utility from Yubico to secure access in challenge-response mode. This feature works without an Internet connection. It does not work with Microsoft Cloud Accounts.

YubiKey can also be set up for use with Keepass and Password Safe both of which keep your passwords cached locally on your pc.

YUbico are bringing out a new product in February 2017 for the new USB-C ports which with a small adapter can be used in the older usb sockets.

Yubico will preview the YubiKey 4C form factor at ShowStoppers @ CES, and make it available in the Yubico store for $50 beginning February 13, 2017. Built on the proven foundation of the YubiKey 4, the YubiKey 4C supports multiple protocols including Yubico OTP, OATH, FIDO Universal 2nd Factor (U2F), and OpenPGP and PIV smart card functions supporting up to RSA 4096 and up to RSA 2048 or ECC P384 keys, respectively. This lineup of functionality is contained in a new keychain design for laptops, such as the MacBook Pro, which rely solely on USB-C ports.

The other multi use device I found, OnlyKey was Kickstarted and has some niffty features.

https://www.kickstarter.com/projects/1048259057/openkey-the-two-factor-authentication-and-password/description

The face of the OnlyKey has 6 capacitive touch buttons.

These buttons serve two purposes. First, in order to enable the device for use, a PIN must be entered. This way if OnlyKey is ever lost or stolen it will be unusable without knowing the PIN. Secondly, the 6 buttons support multiple authentication methods, such as One Time Passwords used by Yubikey, Google Authenticator, and the new Universal 2-Factor method (U2F). OnlyKey can be configured to your desired preference. (Watch the OnlyKey project video to see how OnlyKey can be used to log into your accounts.)

How secure is it?

Unlike other tokens and key fobs, OnlyKey supports PIN protection. If OnlyKey is ever lost or stolen, it will be unusable without knowing the PIN. All of the keys and passwords are encrypted with military grade AES-128 encryption. If an incorrect PIN is entered, OnlyKey blinks three times. If an attacker attempts to guess the PIN, after 10 failed attempts the device will perform a factory default, wiping all sensitive data. OnlyKey is even protected from more advanced physical hacking attacks by using hardware security features (for more information see video).

The feature I like the best is

Self Destruct Feature

OnlyKey is the world’s first token to implement self-destruct feature. A self-destruct PIN can be set when you first activate your OnlyKey. With the self destruct PIN if you are ever forced to give up your PIN, the self-destruct PIN can be provided instead, causing the OnlyKey to wipe it's sensitive data.

The home site for OnlyKey

https://crp.to/p/

Do you think these tools would be useful ? Would you use one ?

I really like the self destruct feature on the OnlyKey but the unit itself could do with some sort of casing and it seems a tad fiddly to set up. Not so fiddly if you trust Google and it is nice that you can keep control by using the cli and Python.
The Yubikey is what I would go for if I were to buy and I would wait for the new "C" version simply because it is easier to set up all round. Love that you can log on to Windows or KeePass by touching the key.

 

[Ian]

I like the sound of these. I imagine once we get biometric based versions, it'll be really quite attractive indeed. I'm half tempted to try one out to be honest...

Do you think you'll go for it once the new one is released?

 

[Abarbarian]

I like the sound of these. I imagine once we get biometric based versions, it'll be really quite attractive indeed. I'm half tempted to try one out to be honest...

Do you think you'll go for it once the new one is released?

Yes I think I will as I am dead lazy. A friend over at Scot's uses one and thinks it is great.

You really do need two units for safety. £80 is a bit steep for the multi use but £40 for two U2F only keys is not too bad especially if you do a load of signing in every day.

 

[Ian]

Funnily enough, Facebook announced support for this yesterday:

https://www.facebook.com/notes/face...r-safer-logins-with-a-touch/10154125089265766

 

[Abarbarian]

Funnily enough, Facebook announced support for this yesterday:

https://www.facebook.com/notes/face...r-safer-logins-with-a-touch/10154125089265766

Shades of stable door being bolted methinks. Still at least they are addressing the security issue.

Came across this on-line password keeper which looks secure and you can use it from a usb or locally rather than syncing on-line.

http://www.toptenreviews.com/services/protection/best-online-password-managers/passpack-review/

Passpack Pro supports many platforms. It works on a Mac or a Windows PC. It works with popular browsers: Internet Explorer, Firefox, Chrome, Safari and Opera. Passpack works on Android devices, iPads and iPhones. Passpack synchronizes login data across all of your platforms. Unlike many of its competitors, Passpack also works with Windows Phone. Passpack supports Linux even though the majority of its competitors do not. Passpack does not have a Blackberry version though. There is a desktop version of Passpack if you want to isolate your data to a local device and keep them out of the Passpack cloud. Alternatively, you could use Passpack Desktop to complement the online version so that you have access to your secure data while offline. Another way to use it on multiple computers offline is by installing the Passpack Offline Version onto a USB drive.

http://help.passpack.com/knowledgeb...etween-Passpack-Desktop--Offline-Version.html

I have looked at all sorts of password managers and am presently using RoboForm and KeePassX but both are not ideal for me.
I'll have to raise some loot and get a YubikeyC when they come out I recon.

 

[Abarbarian]

https://www.yubico.com/why-yubico/for-individuals/

I never did buy a YubiKey. Spent the money on a motorbike instead.

Had another look at these and things have changed a lot in the last two years. More keys types, USB-C ones for instance, you can use them with NFC and phones and a whole raft of new features and stuff. Well worth reading some of the FAQ's as they detail KeePass and Linux useage too.



https://www.yubico.com/works-with-yubikey/catalog/

Looking at the companies that work with YubiKey I notice that you can sign in to Electronic Arts and Epic Games but it seems Steam has not joined in yet.

There are many different types of security key out there. Here are just a few,


Solo: the first open source FIDO2 security key. USB & NFC.

How is OnlyKey different

How Nitrokey works

Adafruit FIDO U2F Security Key

Kensington® VeriMark™ Fingerprint Key Supporting Windows Hello™ & FIDO U2F for Universal 2nd Factor Authentication


Microsoft has just been certified for FIDO2,

Windows Hello FIDO2 certification gets you closer to passwordless

Today, the FIDO Alliance announced that, with the upcoming release of Windows 10, version 1903, Windows Hello is a FIDO2 Certified authenticator. FIDO2 enables developers to leverage standards-based protocols and devices to provide users easy authentication to online services—in both mobile and desktop environments. Microsoft is a leading member of the FIDO Alliance and is working closely with alliance members to enable passwordless login for websites supporting FIDO2 authentication. Collectively, these standards enable users to more easily and securely login to online services with FIDO2-compliant security keys and Windows Hello.

Hmmm now which key to buy