Yubikeys

[Amelith Nargothrond]

I bought my first one many years ago, a FIDO U2F key for Google, mainly because I was curious about it.
And then I bought the classic one, and then the NFC version...

Now I am using them just about everywhere, from Windows logins, PIV authentication, certificates, to 2FA (with the Yubico Authenticator installed on my phone and the NFC feature of the key).

Yubikey references & customers: References and Case Studies | Yubico
One very cool book describing some Yubikey use cases: Yubikey Handbook · GitBook

What are your thoughts about them? Are you/your company using Yubikeys? If so, which one and for what/how?

 

[Ink]

Thought about it, but an Authenticator app suits my needs better.

 

[Parsh]

Yubico seems to have big players as their clients.
Though I'm reading about the company for the first time, they seem to provide interesting and critical h/w and s/w security solutions.
They have their HSM 2 under beta calling right now!

@Amelith Nargothrond have you thought of Yubikeys for your office or your clients?
It will be great if you can share a short review while others do too. It looks like a nice set of solutions to know about. Thanks for the share

 

[Amelith Nargothrond]

Yubico seems to have big players as their clients.
Though I'm reading about the company for the first time, they seem to provide interesting and critical h/w and s/w security solutions.
They have their HSM 2 under beta calling right now!

@Amelith Nargothrond have you thought of Yubikeys for your office or your clients?
It will be great if you can share a short review while others do too. It looks like a nice set of solutions to know about. Thanks for the share

All my guys are using them. But... as far as my clients go, only a very few are using these keys, and 99% of them are not noobs.
You have a very big disadvantage: discipline is required, being physical devices (one more thing to take care of), you have to carry them with you everywhere (attached to your keys for example, but only if you have 1-2 keys, otherwise the whole thing gets too heavy for USB ports) -> but if not attached to keys means you can misplace them, lose them, forget about them... and then downtimes.

Sure @Parsh , will be my pleasure to review them. Can't right now, as I am a little busy, but soon.
You're very welcome, I'm glad you are interested in them, they are very cool little-big devices

Update:

Spoiler: This is how I carry them around

 

[Parsh]

All my guys are using them. But... as far as my clients go, only a very few are using these keys, and 99% of them are not noobs.
You have a very big disadvantage: discipline is required, being physical devices (one more thing to take care of), you have to carry them with you everywhere (attached to your keys for example, but only if you have 1-2 keys, otherwise the whole thing gets too heavy for USB ports) -> but if not attached to keys means you can misplace them, lose them, forget about them... and then downtimes.

Sure @Parsh , will be my pleasure to review them. Can't right now, as I am a little busy, but soon.
You're very welcome, I'm glad you are interested in them, they are very cool little-big devices

Update:

Spoiler: This is how I carry them around

Sure they look pretty useful and mature for some requirements like yours I assume.
Yes, no hurry I'm sure we'll learn something nice about it from your experience.
I wasn't aware such ingenious little devices have so much to offer on the go!

 

[aragornnnn]

I'm using a Yubikey 4 for Dropbox, all Google services, Lastpass and all Microsoft things.
Bought it because it's so much faster then authenticator apps.
The time it takes you to find your phone i have logged in on all those services 10 times already

 

[Amelith Nargothrond]

I'm using a Yubikey 4 for Dropbox, all Google services, Lastpass and all Microsoft things.
Bought it because it's so much faster then authenticator apps.
The time it takes you to find your phone i have logged in on all those services 10 times already

You're so right. Yubikeys are, beyond advanced fast security made so simple as touching the key, almost like a culture, means to education and discipline. I love it.
The US Department of freakin' Defense is using it (and many other governments and government-related agencies). Obviously, advanced implementation technologies and a lot of knowledge are needed in some cases. But noob users can also benefit from it, if only they could take care of them. My life would be so much easier.

 

[generalwu]

Wanted to use it but I'm waiting for the support of iPhone.

 

[Danielx64]

I'm not using one and if I was to then I may have issues with getting the system going on public PCs, having a copy of WinAuth solves 99% of my problems.

 

[Solarlynx]

I don't use it as it's a hardware. I can't think of adding it to my bundle of keys. So I have to use Google and LastPass authenticators on my phone.

 

[askmark]

How easy is it to setup a Yubikey to authenticate a Windows domain login?

 

[Amelith Nargothrond]

How easy is it to setup a Yubikey to authenticate a Windows domain login?

In short: not that easy (depending on your experience)...

Here's their help to get started (sysadmin side): https://www.yubico.com/wp-content/uploads/2016/03/YubiKeyPIVDeploymentGuide_March25_2016_FINAL.pdf

Here's the user side of things:

Spoiler: Youtube video

But you can integrate Yubikeys with Duo (for example), that is easier (and costs money for more than 10 users)...

 

[askmark]

In short: not that easy (depending on your experience)...

Here's their help to get started (sysadmin side): https://www.yubico.com/wp-content/uploads/2016/03/YubiKeyPIVDeploymentGuide_March25_2016_FINAL.pdf

Here's the user side of things:

Spoiler: Youtube video

But you can integrate Yubikeys with Duo (for example), that is easier (and costs money for more than 10 users)...

Thank you. The Duo route does look easier and the pricing is pretty reasonable too.

I'd not heard of Duo before so thank you for mentioning it. It could replace our need to use 2fa with the VPN client we use for our laptop users. It uses a hardware token and has no mobile support. Users are always losing them as they are bulky so people are reluctant to attach them to their keys.

 

[Amelith Nargothrond]

Thank you. The Duo route does look easier and the pricing is pretty reasonable too.

I'd not heard of Duo before so thank you for mentioning it. It could replace our need to use 2fa with the VPN client we use for our laptop users. It uses a hardware token and has no mobile support. Users are always losing them as they are bulky so people are reluctant to attach them to their keys.

As a first step, if you would like to try the system out (highly recommended), buy just one yubikey. Try both AD smartcard logins with the Yubikey and try out Duo as well.

Personally I don't like being dependent on third parties - services, software, cloud - (even though it has many more features), so my first choice would be Yubikey as a smartcard.

You're welcome

 

[askmark]

As a first step, if you would like to try the system out (highly recommended), buy just one yubikey. Try both AD smartcard logins with the Yubikey and try out Duo as well.

Personally I don't like being dependent on third parties - services, software, cloud - (even though it has many more features), so my first choice would be Yubikey as a smartcard.

You're welcome

Yeah I'm same, I don't like relying on third parties either. I will definitely try what you suggested and test the process with one key first.
How robust is the Yubikey itself? They look a bit vulnerable to damage, especially if they are on your key chain.

 

[Amelith Nargothrond]

Yeah I'm same, I don't like relying on third parties either. I will definitely try what you suggested and test the process with one key first.
How robust is the Yubikey itself? They look a bit vulnerable to damage, especially if they are on your key chain.

This is how they advertise them:

YubiKey: Crush and impact resistant — stands up to abuse

Analysis: Other authenticators can’t take the same level of abuse as the waterproof, crushproof, and hermetically sealed YubiKey. In addition, the YubiKey does not have a battery or moving parts.

I found this to be true. My first one, after many years, looks like new. I never attached them to my keychains though, but to a neck strap, with an ID/access card and some flash drives.

More details on built quality here: How do I store my YubiKey? | Yubico
More features of the Yubikey: Authenticators Features Comparison | Yubico

 

[Amelith Nargothrond]

@askmark
Also take a look at this: Windows Login & RDP – RCDevs Security Solutions

 

[Myriad]

You're so right. Yubikeys are, beyond advanced fast security made so simple as touching the key, almost like a culture, means to education and discipline. I love it.
The US Department of freakin' Defense is using it (and many other governments and government-related agencies). Obviously, advanced implementation technologies and a lot of knowledge are needed in some cases. But noob users can also benefit from it, if only they could take care of them. My life would be so much easier.

On the face it , enforcing Yubikey use for all employees looks like a no-brainer .

But for me there is another aspect to the security angle .
Picture these two scenarios in a typical corporate environment -

a] all staff must use Yubikey ( or Fido or similar )

b] all staff are expressly forbidden to plug-in ANY device

I have worked in scenario (b) and it certainly makes it that much easier to spot when someone
breaks the rules and plugs a USB .
( The target of Stuxnet had this type of policy in place , but it didn't protect them ! )

But in scenario (a) it would be NORMAL to see staff plugging-in USB devices , all of the time .
So a physical USB attack by someone with Rubberducky/ BashBunny would not particularly stand out .

Two things that experience has taught me :-
1] The more trusted any security system / protocol is , the less it is scrutinized , and the more vulnerable it becomes .
2] NEVER underestimate the stupidity of the end-users of the so-called "secure" system

Just a thought ..... I'm not bashing Yubikey in any way .

 

[askmark]

@askmark
Also take a look at this: Windows Login & RDP – RCDevs Security Solutions

Thanks for all the great information. I have some reading to do!

 

[Amelith Nargothrond]

Thanks for all the great information. I have some reading to do!

You're welcome