Thursday, December 20, 2018

YubiKeys are neat, but have very limited the moment.

By Steve Endow

TL;DR: If you're a typical computer user, save your money and do not purchase U2F keys at the moment.  The technology is promising, but adoption is still so limited that it probably doesn't make sense for most people to use U2F on just one or two accounts.

January 2019 Update:  A security researcher has developed a tool that can intercept logins and 2FA codes through a man-in-the-middle attack.

This type of attack can apparently defeat most, if not all code based 2FA systems.  The article only mentions that the tool "is inefficient against U2F-based schemes that rely on hardware security keys."  I am not sure if author did mean inefficient, or if he meant ineffective, but I don't think U2F tokens would prevent the browser from authenticating with a YubiKey with the MITM in place.  This YubiKey article explains that U2F prevents authentication with a fake phishing site, but does not appear to directly address the MITM proxy attack used by the Modlishka tool, which accesses the real Google site.

If anyone has information indicating that U2F validates the URL and / or can prevent a MITM proxy attack, I would love to read about it.

I read about physical USB security keys quite a while ago, but it wasn't clear to me exactly how they worked and I couldn't fully understand the value that they provide.

They go by various names:  'security key', 'USB security key', U2F, or FIDO.  And then there are specific brand names for the keys, such as YubiKey (by Yubico) and Titan Security Key (by Google).

I had previously considered trying one, but couldn't figure out what I would use it for, until last month when Troy Hunt wrote an article on how he researched Google's new Advanced Protection Program and how it uses U2F.

The article is very informative and speaks well to how easy it is to setup the U2F keys.

Shortly after, I read some announcements claiming that Microsoft had added YubiKey support to Microsoft logins. Awesome, right? (I failed to read the fine print)

So I decided to buy some and give them a try.

The reviews I read about Google's Titan keys were mixed. While they are more economically priced, the key fob version is apparently cheap plastic that can fall apart or break if dropped.

So I decided to pay more and get the YubiKey version, which appears to be much higher quality.  And that's where the first issue becomes obvious.

YubiKey "5" series keys are $45 to $60 each, depending on the model.  And since you should ideally have 2, that's roughly $100 to invest in U2F authentication.  Compared to using the free Google Authenticator or Authy apps, spending $100 to securely login seems pretty crazy.

Google's Titan Security Key bundle is only $50 for two keys, so it's a relative bargain by comparison.  But that's still $50.

And then I wondered: I have a desktop, laptop, iPhone, and iPad--so I need to be able to have a YubiKey available for those devices, right?  So I decided to get two Nano keys, one NFC key, and one USB-C key.  This was my first mistake.

As I later learned, despite claims that the YubiKey 5 NFC works with newer iPhones, there is essentially zero app support for NFC authentication on the iPhone.  The only app I have seen that claims to offer NFC U2F authentication is LastPass, which I don't use.  So it is still very early in terms of mobile support for U2F, and it will probably be several years at best before I ever get to use NFC on my iPhone.

So a week later, my YubiKeys arrived.

I wanted to try different versions, but...

Setting them up and adding them to my accounts was surprisingly simple and easy.  Just as easy as adding Google Authenticator to an account.

In just a few minutes, I was done adding my new YubiKeys to all of my accounts.

And by "all" of my accounts, I mean Google and Twitter.  Yup, all 2 accounts.

Google supports multiple security keys, which is critical for proper U2F implementation

Twitter supports U2F, but only allows one key, and as a result...

Twitter does NOT allow you to disable other 2FA methods.

That's it.

Those are the only two services that I personally use that directly support U2F authentication.

Oh, wait, I almost forgot.  What about Microsoft and the grand announcement for YubiKey support?

Of course I didn't bother to actually read the full article before I purchased my YubiKeys, otherwise I would have learned that Microsoft's YubiKey support is useless for 95% (or maybe up to 99%?) of users.

Here's the deal killer in two parts:

"the latest update to Windows 10 (version 1809) and existing native support in Edge"

So you first have to have version 1809 of Windows 10 installed.  This is the infamous October 2018 update that was pulled due to bugs.  Turns out that I don't have 1809 installed on either my desktop or laptop, and I'm in no hurry to install it.  Sure, eventually people will install it and get the U2F support, but then...

Apparently U2F for Microsoft logins is only supported in the Microsoft Edge browser.

Say what???

I'm sure there are several technical reasons why they did this--like not being dependent on Google to not do something that breaks Chrome for MS logins, for one.  But by only supporting the Edge browser, I'm guessing Microsoft has pretty much sidelined U2F for the vast majority of Windows users.

So this discovery was quite a let down, and made it clear that I had wasted $200 on YubiKeys.

But Steve, haven't you seen that the YubiKey site has a long list of services that supposedly support YubiKey authentication?

Yes, I've seen it, but there are three issues with that list.

1. I've never heard of most of those services. Perhaps they are large organizations or enterprise focused security solutions, but most are clearly not consumer brands.  YubiKey could list a thousand of those, and it wouldn't make a YubiKey any more valuable for me.

2. Some of the services they do list do not actually support U2F or YubiKey.  One example is Kickstarter.  Although Yubico claims that Kickstarter supports 2FA with YubiKey, I don't see any way to add a hardware key to my Kickstarter account--only an option to add Google Authenticator for 2FA (Perhaps using a Facebook account with U2F to login to Kickstarter is why they listed it?).  And Blogger is listed, but only because Blogger uses Google Account authentication--so it's really Google providing the U2F support.  Same thing with Dropbox--if you are using a Dropbox login (instead of a Google login), you cannot use U2F and have to use Google Authenticator or SMS for 2FA.  So be wary of claims of U2F support--it may only be supported if you use Google Account or Facebook authentication, which I personally avoid whenever possible for security reasons.

3. Apparently U2F support is only provided by desktop web browsers at the moment. Google Chrome supports U2F by default.  Firefox apparently has U2F support, but it is disabled by default, and you have to manually enable it via about:config.  Opera apparently supports it as well.  And I already discussed Edge.  This immediately rules out using U2F for mobile devices at the moment.  And I haven't found any desktop applications that directly support U2F.

And because the U2F implementations appear to be browser-specific, you must use the "correct" browser for a given service.

If you like Microsoft Edge, you will not be able to use U2F to login to your Google account, as this message demonstrates.

Different services, different browsers

So based on my journey so far, here are my conclusions:

1. U2F / FIDO is a neat technology that appears to be very simple and easy to use with the relatively few services that support it.

2.  The U2F keys are currently too expensive for widespread consumer adoption, and don't provide enough value to average consumers to justify the price.

3. There is very limited support for U2F at this time, and it will probably be at least a few more years before adoption becomes meaningful.  But if we are stuck with browser-specific U2F implementations, that will further limit adoption.

4. Complete lack of mobile support for U2F is a deal killer for most users.  This will need to be addressed in order for U2F to become viable for mass adoption.

5. At the moment, free 2FA apps like Google Authenticator are more practical than U2F.  However, there are attacks against app-based authentication, so if those types of attacks become as mainstream as SMS 2FA attacks, I suspect that will be the catalyst that drives us to start adopting U2F.

6. If a service supports U2F but doesn't allow you to add more than one key, and doesn't allow you to disable less-secure 2FA methods, I question the value of U2F.  Similarly, if services only support U2F by allowing Google or Facebook authentication, I don't consider that U2F support, and don't believe that improves user security.

So I would recommend saving your money and waiting to see if U2F adoption improves before buying these hardware keys.

You can also find him on Twitter and YouTube

No comments:

Post a Comment

All comments must be reviewed and approved before being published. Your comment will not appear immediately.

How many digits can a Business Central Amount field actually support?

 by Steve Endow (If anyone has a technical explanation for the discrepancy between the Docs and the BC behavior, let me know!) On Sunday nig...