25 Dec 2018, 05:28 AM
|
#4
|
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
Security Best Practices
Copied from:
https://www.reddit.com/r/yubikey/com...stions_please/
Use a Password Manager. You shouldn't have passwords memorized, and you*definitely*should not be reusing passwords amongst multiple services. Bitwarden (*open source), KeePassXC, Dashlane, LastPass, 1Password, Keeper all have free tiers (KeePassXC is*completely*open source!), and all of these support using a YubiKey to make logging into them even more secure. 2 Factor all things.Your high level goal should be to start using 2FA more often. In other words, start using something you know (a password) and something you have (a Fido compliant key) whenever you can. Doubly so when you're working with a service that's important.
Your email is typically your most important service because you recover your account with your email. 2 Factor that thing up! If you're using Gmail, this is a no-brainer as it supports the phishing resistant protocol known as FIDO. From there, ensure your password manager (you are using one, right?) is secured with 2FA as well. After that, my friend, the world is your oyster! Not all 2FA is created equal.....In other words, don't buy a huge steel front door and then leave an open window next to it.
HMAC Counter-based One Time Password (HOTP)
It's a bunch of digits that are different every time you press the YubiKey. No time element. Used with some identity platforms. Phishable
YubiOTP
One Time Password protocol made specifically for the YubiKey. Buncha characters, cryptographically "stronger" than HOTP, some replay attack protections baked in. Use with Lastpass and identity providers. Phishable
Time-Based One Time Password (TOTP)
The most common form of 2FA on the planet. If you've ever used an RSA token or the Google Authenticator app or the Authy app, ALL of these are forms of TOTP. Bunch of digits that changes on a given time schedule (ex. 30 seconds).Open standard by the folks at OATH. Phishable
Strong Password
This i s not 2FA, just a really long password. Phishable, use with caution.
Universal 2nd Factor (FIDO U2F)
It's a modern authentication schema that uses the browser to tell the website you're trying to log into whether or not you're being phished.*Strong*asymmetric crypto. Use with Google, Facebook, Twitter, GitHub, GitLab, Salesforce, AWS, and various identity providers and more. Often referred to as "Security Key". Open Standard by the folks at the FIDO Alliance. Extremely phishing resistant.
FIDO2
Essentially FIDO U2F on steroids. Adds an ability to put your identity into the device as well. In the future, use in place of smart cards on Windows with Azure. Today...no real use cases.
|
|
|