IT: Hello! This is Roger from IT. We've identified a problem with your Okta access and we need to replace your company Yubikey. We've already mailed you a replacement, return your old Yubikey in the box that will have a return shipping label. Please write down your company email and Yubikey PIN on a sticky note and include it in the box so we can fully remove the old Yubikey from Okta. The delivery is scheduled for today so your work wont be impacted come Monday.
Primary storage ist via #bitwarden with a local #vaultwarden installation (both needs to be version 23.10 at least)
Secondary storage is a #yubikey 5 NFC which I carry with me. This one alllows me to use the passkey on my iPhone (iPad not tested yet)
Tertiary storage is another (cheaper) Yubikey which is deposited in a safe at home
Both Yubikeys are protected by a PIN which my wife knows. That way I canot lose access to my account and have taken precautions in case I become incapacitated.
But this setup requires quite some time for each web site to switch to passkeys. That's why I am so angry with companies like Paypal who make it practically unusable.
Only the YubiKey 5 series supports creating and storing passkeys ("resident WebAuthn credentials"), and you can only store 25 of them.
Also, non-passkey use of YubiKeys appears to no longer be [reliably*] supported by Google's Advanced Protection Program. You have to create a reliable passkey, then delete and re-add all of your existing keys (listed under "2-step verification only security keys"). Some of my keys are ... extremely offsite, so it will take time to restore my previous levels of redundancy.
I think I'm starting to understand how we got here, but I'm still unhappy that the benefits of the previous model - in which unlimited sites could be used with each security key, and U2F keys were backward compatible - are gone.
I also feel as though Google, Yubico, and others could have done a better job of communicating the consequences for advanced users ... in advance. Instead, Google searches for "2-step verification only security keys" currently only produce 5 results, which are Reddit threads full of commiserators and Google support threads like this one that are locked without response:
* Once any passkeys use is enabled, some APP users (including me) can sometimes do a fresh Google login from scratch on a new device with only a security key .. but other times, any "2-step verification only" key you try is rejected as unrecognized. I do not know what the variability is - and the forums are full of people with similar complaints.
UPDATE: On further testing, and based on reports from others on the side, it may be that the symptoms I (and the folks in the forums) experienced were a problem for the first few months at launch, but may have been fixed. It last failed for me about a month ago, but I'm unable to recreate from Incognito. But since Google uses many signals to determine how to prompt for what kind of MFA, I am not at all confident that I will be able to use non-passkey security keys from a fresh computer in a new geographic location away from my phone. If Google fixed something , I do wish they'd say something about it somewhere, so that I can key with confidence!
Update 2: a friendly, authoritative reply that we don't think anything has changed, so the symptoms are still mysterious (and maybe more common if a PIN is set on the key?): https://infosec.exchange/@skarra/111309708728390341
Update 3: And to head off some side questions - this doesn't diminish my YubiKey fanboy-ness. :D I do see the trade-offs, and the middle ground for me will probably look something like storing my "top 20" critical passkeys on YubiKeys, and keeping all the others in a password-management layer.
Wow, the comments on my article on #Passkeys in the German #iX/#heise has shown me a lot of misconceptions people have:
No, you don't need to synchronize Passkeys
nor do you need to use Google/MS/Apple
nor is storing an encrypted binary blob a big danger
Passkeys aren't just autofilled #passwords: they use challenge auth, not shared secrets!
#TOTP 's aren't better because they're a real #2FA. Actually they suck against #phishing.
A secure enclave can still be used, but it's mostly used for decrypting the keychain, not storing it
You can still use #YubiKey 's, either with discoverable creds (uses 1 slot each) or non-discoverable creds (1 slot for all Passkeys)
Generally, I think the term 2FA is misleading. Not all 2FA is created equal. One could even argue that Passkeys are "less" 2FA than Password+TOTP -- and yet, it's more secure in most attacks because it can't be phished.
A lot of people seem to think that the more annoying and difficult to use a technology is, the more secure it is. We have the same problem with passwords and their complexity. We humans suck at guessing how secure something is through intuition.
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
oct-git focuses exclusively on ergonomic use with OpenPGP card-based signing keys
It is designed to be easy to set up, standalone (no long running processes), and entirely hands-off to use (no repeated PIN entry required, by default). It comes with desktop notifications for touch confirmation (if required)
Ich versuche (verzweifelt) meinen Passwortmanager #strongbox gerne auf nem iOS mit nem #Yubikey 5C NFC absichern und brauche dabei etwas Hilfe. Vielen lieben Dank schonmal 🙂
Gerne auch ein Boost
Got SSH #Yubikey logins working natively in Windows Terminal. Pretty slick vs depending on #Kleopatra and Remote Desktop Manager (slow) But still think processes are... Unclear. So, when you create the key, it requires a Yubikey PIN. But when you use it to login, the PIN isn't needed. Guessing it's a setting somewhere. Why wouldn't you require the PIN - because the key pointer file is required (2nd factor)? https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html #SysAdmin#MSP#SSH#WSL
It goes into details of managing PGP keys on a YubiKey, and how we can use that to SSH into machines with a single physical token.
This is not something I've seen fully documented anywhere, and some details are #FreeBSD-specific; if you try following them and need help getting things to work on #Debian-based systems: do reach out. It can possibly take me less to reply than for you to find the answer :-)
Wir verlosen unter den auf der #BDK23 gewonnenen Neumitgliedern gerade die ersten #Yubikeys für einen einfacheren Zugang zum Grünen Netz, @maltespitz (dritter von links) ist dabei unsere Losfee. Die Gewinner*innen werden über die #Chatbegruenung kontaktiert.
Thunderbird GPG Ready - E-Mails verschlüsseln und signieren
Thunderbird bietet die Möglichkeit E-Mails mit OpenPGP zu signieren und zu verschlüsseln.
Das E-Mail-Programm bietet eine übersichtliche GUI zur Verwaltung und hilft damit dem Benutzer bei der Einrichtung und der Arbeit mit der Verschlüsselung.
How do #NFC enabled devices like the newer #Yubikey devices work? ⚡
Do they have some kind of magic chip that gets powered over NFC and performs #encryption stuff, or is it more of a standard read/write tag with the computer/phone/reader device doing most of the work? 💳
(If the latter then is there a danger of other people bringing a scanner nearby and swiping your key?) 🔑
This is more of a security question, but I currently know way more people on ruby.social than infosec.exchange. I want to use a #Yubikey for #SMIME or #GPG signing on #iOS & #iPadOS, but can't find:
Any documentation about how to integrate it with Apple Mail.
Anyplace that offers #x509 certificates for S/MIME at zero or minimal cost the way @letsencrypt offers free #SSL certs.
Self-signed S/MIME certs are a non-starter, and there are no full-featured #OpenPGP apps on iOS. Suggestions?
In light of the news that Authy is discontinuing their desktop app in August of 2024, we want to let everyone know that Tuta supports all major authenticator apps & U2F keys. 🔐
No need to worry about compatibility when making the jump to a new authenticator app.🤹
The FIDO specification defines a form of Universal 2nd Factor (U2F) when users log in to a system. Rather than relying on one-time codes sent via SMS, or displayed on a phone screen, these are physical hardware tokens which are used to supplement passwords. When used with websites, this technology is also known as WebAuthn.