Which security key

hadaso · 17 Dec 2020, 04:23 PM

After losing my Yubikey, and then a few days after having my phone sent to be repaired, I'm looking to buy a new security key, and perhaps more than one so I have at least one for backup, and perhaps some more for other family members. The real question is: which one.

The old one that I lost (fell off my keyring) was one of the more expensive ones from Yubico. I probably got this one because Firefox didn't support U2F back then, And I thought I'd use the NFC capability (I never did).

So I wander if I really need something like the Yubikey 5 NFC that costs 45$ (the cheapest in the Yubikey 5 line) and what benefit it provides over the 25$ Security Key NFC by Yubico , if at all, to a FastMail user. Or perhaps there are cheaper comparable alternatives that people here would recommend?

Also, I would want to use the same security key for some other services (like google account, Dropbox, domain registrar etc.), but without it reducing the security of my Fastmail account (such as with using the same password).

TenFour · 17 Dec 2020, 07:55 PM

You can use your Android phone as the security key too! https://support.google.com/accounts/...DAndroid&hl=en

BritTim · 17 Dec 2020, 11:55 PM

Quote:

Originally Posted by TenFour

You can use your Android phone as the security key too! https://support.google.com/accounts/...DAndroid&hl=en

I would personally not do that as I want a backup security device that I keep in a safe somewhere. Keeping a duplicate Android phone in a safe would be overkill (even if I do not buy security devices for family members also).

TenFour · 18 Dec 2020, 05:34 AM

Quote:

I want a backup security device that I keep in a safe somewhere.

That's one reason I prefer to use an authenticator app on the phone and/or in a password manager. Bitwarden for example can generate codes for 2FA and will store the key used to generate the code. Even if you lose your phone you could log in via the web interface and retrieve the codes. In my experience, losing anything, including security keys is highly likely to the point that it is not really useful. I tried for awhile, and I found that on a regular basis I was leaving it plugged in at work if I was at home or at home if I was at work, or I would attach it to my car keys and then walk to work and not have it. I can just imagine myself flying off on vacation and leaving it on my key ring at home.

FredOnline · 18 Dec 2020, 05:26 PM

Quote:

Originally Posted by BritTim

I would personally not do that as I want a backup security device that I keep in a safe somewhere. Keeping a duplicate Android phone in a safe would be overkill.

Most important is keeping a copy of the QR code for every one that you've stored in your authenticator app.

Personally I keep a copy of each QR code stored in a secure Keepass database, that way if I lose my phone or the app becomes corrupted, I can scan the code I've stored in Keepass, and I'm up and running again.

I suppose you could put the Keepass database on a USB flash drive, and stick that in a safe . . .

TenFour · 18 Dec 2020, 07:58 PM

General comment not specific to this question, but I have found there are some serious problems with how 2FA is handled with many companies. First is that no matter how great the security of the 2FA method there is often a much simpler and easier to hack method to circumvent the 2FA due to the fact that people get locked out all the time. For example, some companies will send an SMS code or email instead of the 2FA method, so it seems to me you are only getting the security level of the least secure alternate method of entry. Second is that there is a very likely chance you will get locked out of your own account due to bugs in the system or errors on your part. I nearly lost my Google account because I changed a phone number and Google would only send codes to my old number. Even though I had the alternate methods set up, including email, prompts on my phone, and one-time codes, Google would not present those alternatives to me. They would only send codes to the old phone number I no longer used. The third problem is just plain inconvenience. I have found that Yubikey code entry seems to fail as often as it works, and some systems just don't like them. Then you can lose the key like you did. Or your phone breaks. Or the key breaks. Etc. Edit: one additional problem cropped up recently for me. I changed a password on my phone. Stored it in my password manager. The phone would no longer accept either the new password or the old one and I was completely locked out. I am 100% certain I had the correct new and old passwords, but nothing worked. I ended up doing a factory reset on the phone. That indicates to me that sometimes there can just be a glitch in any system that can mean you might lose an important account, and 2FA indicates more points of tech failure. For example, one time when I flew from the US to Australia my 2FA codes would not work for some reason. I ended up locked out of everything even though I had the correct codes and the authenticator app on my phone. I ended up having to call back to the USA to get someone to look up my one-time codes stored in a safe location.

n5bb · 19 Dec 2020, 07:29 AM

Quote:

Originally Posted by TenFour

... For example, one time when I flew from the US to Australia my 2FA codes would not work for some reason. I ended up locked out of everything even though I had the correct codes and the authenticator app on my phone...

The TOTP 2FA authenticator calculates a on-time temporary password based on the number of elapsed seconds since the Unix epoch (1 Jan 1970 at 0000 UTC minus leap seconds). The codes are calculated every 30 seconds, so your device must be synchronized to UTC time to better than that interval. If you have your mobile device set to a fixed time zone, the time will be in error by some number of hours when you cross time zones. So you need to be sure that the device is set to automatic time zone correction mode if you want to use an authenticator while traveling.

Bill

SideshowBob · 19 Dec 2020, 10:29 PM

Quote:

Originally Posted by n5bb

The TOTP 2FA ...must be synchronized to UTC. If you have your mobile device set to a fixed time zone, the time will be in error by some number of hours when you cross time zones. So you need to be sure that the device is set to automatic time zone correction mode if you want to use an authenticator while traveling.

I doubt that, timezones are more about how time is presented to the user. Android, and I think iOS, run internally on UTC, and are provided with UTC time from whatever source they use. GSM, GPS and NTP all work on UTC.

Even if the phone works on wall time internally (possibly Windows phones did) that still isn't going to make the UTC time wrong.

In order to get an incorrect UTC time you would need to turn-off automatic time updates and manually set a time that isn't correct for the timezone.

TenFour · 19 Dec 2020, 10:35 PM

My guess as to why the authenticator codes didn't work is that during the long flight across the Pacific Ocean the phone was not connected to the Internet, and then when I landed I didn't have Internet access for awhile because I needed to purchase a local SIM and get access. So, my guess is that the time on the phone was slightly off from UTC, therefore generating incorrect codes, meaning I couldn't login to my secure accounts. Also, complicating things was that both Microsoft and Google decided that since I was not logging in from a normal location something nefarious must be up and they locked me out. They would only let me back in if I could respond to an email or text message sent to my phone, which I couldn't do because I didn't have phone service either. Even when I did have phone service it was a different number, so SMS codes were no good. Of course I was on a business trip and not being able to access everything for a day was a huge pain. In any case, this was a lesson to me that one needs to take special precautions if you travel a lot and want to use Google and Microsoft services.

n5bb · 20 Dec 2020, 10:48 AM

As far as I can tell from the research I performed before my earlier post in this thread, a common issue is the phone time not properly synchronized after changing time zones. See:
https://support.google.com/accounts/..._topic=2954345

Quote:

My Google Authenticator codes don’t work

It may be because the time isn’t correctly synced on your Google Authenticator app.
To set the correct time:

On your Android device, go to the main menu of the Google Authenticator app.
Tap More Settings Time correction for codes Sync now.

On the next screen, the app confirms the time has been synced. You should be able to sign in. The sync will only affect the internal time of your Google Authenticator app, and will not change your device’s Date & Time settings.

For the iPhone see:
https://www.guidingtech.com/fix-goog...orking-iphone/

Quote:

On the app's Android version, there's a 'Time correction for codes' section where you can easily fix the app's time sync error by tapping the Sync now button. However, things are wired differntly for iOS. Sadly, you cannot fix time & date sync errors directly in your iPhone's Google Authenticator app.
However, you can ensure that your iPhone's 'Date & Time' settings are configured to update/sync automatically. That way, the Authenticator app's time will also be synced.Here is how to configure automatic time update/sync on iPhone.
Step 1: Launch the iPhone Settings menu and select General. ...

Bill

hadaso · 20 Dec 2020, 04:57 PM

Quote:

Originally Posted by TenFour

You can use your Android phone as the security key too! https://support.google.com/accounts/...DAndroid&hl=en

This requires Bluetooth on both devices, so it wouldn't work with my office PC, which is the main reason I use 2FA. And the main reason I am inquiring now about 2FA is that I lost both my security key and my phone, and I don't want to depend on the very old phone I'm currently using as the only method of accessing my accounts.
Of course I can use an authentication app on my phone with no need for Bluetooth, and it would provide the same level of security as using it with Bluetooth.
Actually my main question is if there is any value for a Fastmail + several popular services (e.g. Google, Dropbox) in the more expensive line of Yubikey security keys, or if there's nothing I would miss if I buy their cheaper line, or if there are security keys from other sources that are cheaper and people are satisfied with. Of course the descriptions of the products lists lots of features and protocols supported only by the more expensive line, but I don't understand the technical terms enough to know if any of this is useful. With the lod key I just followed fastmail's setup instructions and then used it, and never added any other service because I was not sure if it might interfere or compromise the security of the setup with FastMail.

Trogdor · 5 Jan 2021, 03:52 PM

Quote:

Originally Posted by TenFour

That's one reason I prefer to use an authenticator app on the phone and/or in a password manager. Bitwarden for example can generate codes for 2FA and will store the key used to generate the code. Even if you lose your phone you could log in via the web interface and retrieve the codes. In my experience, losing anything, including security keys is highly likely to the point that it is not really useful. I tried for awhile, and I found that on a regular basis I was leaving it plugged in at work if I was at home or at home if I was at work, or I would attach it to my car keys and then walk to work and not have it. I can just imagine myself flying off on vacation and leaving it on my key ring at home.

Agreed, that is why I use my password manager to store MFA codes. I realize it is not the most secure way to do it, but it is the most robust against the single point of failure that is a hardware key. The password manager syncs the MFA credentials across devices, so if my phone is lost, I can enter valid MFA codes using my iPad or Mac with no further effort.

Of course, in case I lose any device, to protect the credentials, on all my devices the password manager itself is behind two levels of security: Whole device encryption, and the password manager's own password.

Back story: I rejected Google Authenticator when I read reviews that it would not sync to other devices (though it does now), so I used Authy for a while. For multi device access, I originally tried to set up MFA on web sites on Authy for each device separately, but realized that was a mistake because setting up the second device invalidated the first. Next I fixed that by using Authy's sync feature (one MFA authorization synced to phone, tablet, and Mac). But when I discovered that my password manager supports MFA, I went to that right away because it is the fastest way to both set up MFA (it reads the QR setup code) and enter username, password, and MFA with the least number of mouse clicks/keystrokes. It can LAN sync (no cloud) the credentials among my devices, so MFA is easily used on my phone too.

I still securely keep the one-time emergency codes for any website I set up MFA on, but since it is unrealistic (and possibly quite insecure) to expect to pack a printed list of MFA codes into luggage for travel in case of device loss or failure, all I have to do now is travel with at least two devices out of my phone, tablet, or laptop and I will be able to use MFA with a secured backup available.

There is one financial account that uses a hardware key, and I hate it because I am not taking that key everywhere, and it is never quite where I want to use it.

TenFour · 5 Jan 2021, 07:30 PM

General comment on security. I think all of us, myself included, suffer from worrying about the wrong things a lot of the time. For example, the idea of a security key ignores the very real problem of losing the key/keys or the even more likely scenario of leaving the key plugged into a computer you were using. In the end if something isn't convenient enough people won't use it, and that lessens security. I think of it this way--how often have you lost your car or house keys? That's what is likely to occur with your security key.

NumberSix · 10 Jan 2021, 01:07 PM

Quote:

Originally Posted by hadaso

So I wander if I really need something like the Yubikey 5 NFC that costs 45$ (the cheapest in the Yubikey 5 line) and what benefit it provides over the 25$ Security Key NFC by Yubico , if at all, to a FastMail user. Or perhaps there are cheaper comparable alternatives that people here would recommend?

Lots of discussion and advice here, but it seems to me you liked your Yubikey and just want to replace it. I'm a Yubikey fan... have been using my two keys (two for backup is essential) for years now with no problem, for both Fastmail and Facebook. One of my keys is a rather old Yubikey Plus, which has OTP (which I need for work), but FM and FB both use U2F, and the cheap blue key you've referenced which does U2F will suffice for both of these sites (and also Google AFAIK). I'd say if the more expensive product doesn't have some killer feature you need, then don't bother.

NumberSix · 10 Jan 2021, 01:17 PM

Quote:

Originally Posted by hadaso

...or if there are security keys from other sources that are cheaper and people are satisfied with.

I would just add... a while ago I ran across another company making similar hardware token products that looked popular and inexpensive, but when I dug deeper, I found it was a Chinese company. No sireee... *closes tab*

Sorry... can't remember the name now, but the Chinese origin was not hidden, so just be careful who you buy from.

Quote:

With the lod key I just followed fastmail's setup instructions and then used it, and never added any other service because I was not sure if it might interfere or compromise the security of the setup with FastMail.

If you're using the U2F protocol, you don't need to worry about this. U2F is designed (as I understand) to allow you to use the same token with multiple services with ZERO possibility of security breach between them. If you think about it, it would be a pretty useless security technology if it required you to carry around a separate token for every site that you use (and remember which is which!)

Final bit of advice

I use a "mini S-biner" to attach mine to my keyring... allows it to go on and off the ring very easily for use. Highly recommended! You can probably find them at your local home improvement/hardware store.

17 Dec 2020, 04:23 PM	#1
hadaso The "e" in e-mail Join Date: Oct 2002 Location: Holon, Israel. Posts: 4,847	Which security key After losing my Yubikey, and then a few days after having my phone sent to be repaired, I'm looking to buy a new security key, and perhaps more than one so I have at least one for backup, and perhaps some more for other family members. The real question is: which one. The old one that I lost (fell off my keyring) was one of the more expensive ones from Yubico. I probably got this one because Firefox didn't support U2F back then, And I thought I'd use the NFC capability (I never did). So I wander if I really need something like the Yubikey 5 NFC that costs 45$ (the cheapest in the Yubikey 5 line) and what benefit it provides over the 25$ Security Key NFC by Yubico , if at all, to a FastMail user. Or perhaps there are cheaper comparable alternatives that people here would recommend? Also, I would want to use the same security key for some other services (like google account, Dropbox, domain registrar etc.), but without it reducing the security of my Fastmail account (such as with using the same password).

18 Dec 2020, 07:58 PM	#6
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,734	General comment not specific to this question, but I have found there are some serious problems with how 2FA is handled with many companies. First is that no matter how great the security of the 2FA method there is often a much simpler and easier to hack method to circumvent the 2FA due to the fact that people get locked out all the time. For example, some companies will send an SMS code or email instead of the 2FA method, so it seems to me you are only getting the security level of the least secure alternate method of entry. Second is that there is a very likely chance you will get locked out of your own account due to bugs in the system or errors on your part. I nearly lost my Google account because I changed a phone number and Google would only send codes to my old number. Even though I had the alternate methods set up, including email, prompts on my phone, and one-time codes, Google would not present those alternatives to me. They would only send codes to the old phone number I no longer used. The third problem is just plain inconvenience. I have found that Yubikey code entry seems to fail as often as it works, and some systems just don't like them. Then you can lose the key like you did. Or your phone breaks. Or the key breaks. Etc. Edit: one additional problem cropped up recently for me. I changed a password on my phone. Stored it in my password manager. The phone would no longer accept either the new password or the old one and I was completely locked out. I am 100% certain I had the correct new and old passwords, but nothing worked. I ended up doing a factory reset on the phone. That indicates to me that sometimes there can just be a glitch in any system that can mean you might lose an important account, and 2FA indicates more points of tech failure. For example, one time when I flew from the US to Australia my 2FA codes would not work for some reason. I ended up locked out of everything even though I had the correct codes and the authenticator app on my phone. I ended up having to call back to the USA to get someone to look up my one-time codes stored in a safe location. Last edited by TenFour : 18 Dec 2020 at 08:05 PM.

17 Dec 2020, 07:55 PM	#2
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,734	You can use your Android phone as the security key too! https://support.google.com/accounts/...DAndroid&hl=en

19 Dec 2020, 10:35 PM	#9
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,734	My guess as to why the authenticator codes didn't work is that during the long flight across the Pacific Ocean the phone was not connected to the Internet, and then when I landed I didn't have Internet access for awhile because I needed to purchase a local SIM and get access. So, my guess is that the time on the phone was slightly off from UTC, therefore generating incorrect codes, meaning I couldn't login to my secure accounts. Also, complicating things was that both Microsoft and Google decided that since I was not logging in from a normal location something nefarious must be up and they locked me out. They would only let me back in if I could respond to an email or text message sent to my phone, which I couldn't do because I didn't have phone service either. Even when I did have phone service it was a different number, so SMS codes were no good. Of course I was on a business trip and not being able to access everything for a day was a huge pain. In any case, this was a lesson to me that one needs to take special precautions if you travel a lot and want to use Google and Microsoft services.

5 Jan 2021, 07:30 PM	#13
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,734	General comment on security. I think all of us, myself included, suffer from worrying about the wrong things a lot of the time. For example, the idea of a security key ignores the very real problem of losing the key/keys or the even more likely scenario of leaving the key plugged into a computer you were using. In the end if something isn't convenient enough people won't use it, and that lessens security. I think of it this way--how often have you lost your car or house keys? That's what is likely to occur with your security key.