Main Content

Pressing YubiKeys

If you don’t work in tech but primarily work on your laptop, you probably should have a YubiKey. And if you work on a political campaign or as a journalist, you should definitely have one (or something similar). Talk to your IT Security department about that. This post will mostly be about something your IT Security department doesn’t want to hear about, though, so maybe don’t mention it to them.

YubiKeys act as two-factor authentication. This means that after you log-in to a system with your username and password, the system requires you to authorize in a second way as well. This way if your login credentials are compromised, the attacker would also have to compromise the second form of authentication, which is harder.

There are different forms of two-factor authentication - a common one is that a website will ask you to scan a QR code with the Google Authenticator app (or similar) on your phone which will generate 6 digit codes. The way this works is that the server and the app both have a shared secret. The phone generates codes based on that secret and the current timestamp and the server generates the same codes and sees if they match.

One of the features of the YubiKey is that the little metal strip determines that it is being tapped by a human - this prevents it from being accidentally triggered by bumping your laptop into something, but if you’ve ever seen a one-time password in a Slack channel or Google Doc like tlerefhcvijlngibueiiuhkeibbcbecehvjiklltnbbl, you know it isn’t a perfect system. I would estimate that 1 in 5 times that I attempt to trigger it, it doesn’t register.

A lot of thought has gone into ensuring that the YubiKey can’t be triggered from software on the computer itself.

Before we go any further, I’d like to acknowledge the reasons for this. If a remote attacker were to compromise your laptop, being able to trigger the YubiKey from software on the computer defeats the whole point of using the YubiKey. But I think we always make tradeoffs between security and convenience - for example, you often don’t have to enter your YubiKey every time you access a system, some systems will only ask you once and not ask you again on subsequent logins for a certain amount of time. When you use a 2FA system and it gives you “backup codes”, do you always print those out and store them in a safe location? Everyone should figure out what level of security and convenience they are okay with.”

Link to article