Categories
IT-Stuff

YubiKey vs TOTP app

Yubikey (or other FIDO2 token) vs. Google Authenticator (or other TOTP app)


Phishing protection:
win for the TOKEN
WebAuthN uses a handshake where the site (reported by the browser) is one of the inputs. That said it simply won’t work for a phishing site.
An entered TOTP code, will provide the dark side, as long as they can keep the session alive, a ton of opportunities to do something like disable 2FA and/or roll out a new device with just username and password.


Long-term security / key exposure:
win for the TOKEN
You can’t get a key out of a YubiKey, but there are plenty ways to export / backup data of your APP


Ability to connect it to the user:
win for the TOKEN, no chance if you find a TOKEN on the street and ther is nothing on like an email phone number handler whatever to connect it to the user who lost it. Same situation an a phone most likely to be a whole different ball game, speaking of imformation provided to the finder.


Ability to authenticate the user:
win for the APP, your phone the home of the APP is locked, yor TOKEN usually not


Revocability:
a very very small win for the TOKEN
some sites and services, not all, will allow you to revoke a single hardware TOKEN, without revoking others (eg the BACKUP TOKEN)
Try this with your APP (we are not talkin about revoke a single account within the app)


Categories
IT-Stuff

Lost YubiKey next steps

If you are using your YubiKey with a service or application, the policy for lost or stolen YubiKeys depends on how that service or application deals with the situation

Make sure to remove your lost YubiKey as a 2FA method after you regain access to your account.

Question: How do I perform a LogIn if I don’t have my Yubikey
Answer: Use your Backup Code, that you generated when you added your YubiKey for that account. Or use your Backup YubiKey.

If you have already lost your YubiKey, do not panic. Many services have a verification process to allow you to verify your identity to regain access. Note this is not a walk in the park, depending on the service you used.

Categories
IT-Stuff

Lost my Yubikey

To be clear:

Your Yubikey doesn’t store identifiable usernames and does not store any of your passwords. Anyone who finds your YubiKey would have absolutely no way of knowing which accounts it can log in to.

This changes a little if the person who **finds** it knows the owner, everybody else who finds a YubiKey on the street, train, cafe, airport and on and on won’t be able to figure out whose key it is.

So don’t write your name our your handle on it.

Categories
IT-Stuff

ssh with a yubiKey

simple steps to get an extra layer of security on your ssh connection with a yubiKey and the challenge response and no server side tweaking

This sounds easy but 2 things are needed.

STEP1 check your needs to get this working

need 1 ssh version 8.2 or higher
need 2 firmware on yubikey 5.2.3 or higher

check for need-1 (ssh version / both sides host and target)

ssh -V

check for need-2 (firmware yubikey)

lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'

STEP-2 install libfido2-dev

apt install libfido2-dev

STEP-3 generate key (part of the new key, derived from a challenge response with the fidou2f will be on the hardware yubikey, so therefore you need to touch the key during this operation as asked)

ssh-keygen -t ed25519-sk -C "yubikey007"

STEP-4 copy the generated public key to the remote host

ssh-copy-id remote_username@remote_server_ip_address

Step-5 ssh in the remote server using the ssh key (and you will get prompted for the challenge response) that means you have to plug in the yubikey and touch it. The magic happens. Have fun!

Be aware ( if you dont’t have the (yubi)key your are not able to log in, also a backup of your SSH key is not working, because of the challenge response its just 1/2 of the ssh-key) If you want to have multi factor auth (not 2FA) on your ssh connection set a password when you generate the ssh-key. Remember if you destroy the hardware key, ore loose it the login is not possible, so be prepared for that scenario. Its a hostile world be prepared to fight.

Maybe these Links will cover some more information:
https://islba.co.at/easier-life-with-custom-ssh-config-file/
https://islba.co.at/disabling-ssh-password-authentication/
https://islba.co.at/4-step-setup-ssh-login-without-password/