I will try to keep it updated ;)
-----------------------
version: 2019-05-28
Steps to secure your digital life with Password Manager and Security Key
TLDR
1 - buy 2 (TWO!!!) security keys compatible with FIDO U2F to secure your password manager and email accounts using 2nd factor authentication. You earn extra bonus points for NFC capability so you can use it with your smartphone.
2 - install a password manager extension/addon in your browser
3 - register* both keys into password manager
3a - register* both keys into e-mail account
4 - print Recovery Codes to e-mail account and the password manager
5 - place 1 security key + printed Recovery Codes (inside ziploc bag) into the safe
6 - use the other security key in your daily life
* Some sites, couch couch Google, requires you to use Chrome
Why use a Password Manager?
You often read in news about a new data breach where personal info of thousands or millions users are being exposed/stolen. If you have registered in one of these sites there is a good change your username, email and password got exposed.
Depending of safeguards implemented by each site, your password could be easily exposed as plain text. A malicious person could use that password and try gain access other accounts under your username/email. If you use the same password in others site you are screwed big time.
So it's paramount to give each site an unique password. It's just impossible to keep track of dozens or hundred unique different passwords. To help to solve this problem Password Managers (PM) are the best solution to help you create unique passwords and organize them in a single place.
The natural choice for a PM is to be extension/addon of the web browser because mostly likely you want to keep track of online accounts.
Another interesting feature of PM as extension/addon is protection against phishing (fake sites) because the PM would verify if any password is associate with site you are visiting. If the site address don't match, the auto-fill option would be available. Humans can be deceived to think the current login form is from one site but a password manager won't fall for that so easily e.g https://www.youtube.com/watch?v=nq1gnvYC144 So watch out if your PM don't fill a form for you!
One weakness of PM extensions/addon are to be online, so an attack can come from anywhere in the world against the service provider. The importance to add an extra layer of defense, beyond just a login and password, can't not be overstated. Here enter the two-factor authentication.
- https://en.wikipedia.org/wiki/List_of_data_breaches
What is Two Factor Authentication?
Sometimes also known as Two-Step authentication, it's the use of extra element/step to authenticate into a system. Beyond your usual username and password, the system/site will require a 2nd element/authenticator to identify you. And in our case here we are focusing on a physical device (security key).
Other examples of 2nd factor authenticators: code generated by the Google Authenticator (TOTP), code sent to e-mail or cellphone via SMS.
- https://www.youtube.com/watch?v=v-GvJJEG9sw
- https://www.youtube.com/watch?v=NEDeL3Q4WvI
Why a security key and not other alternatives?
SMS & Apps on Smartphone:
- Smartphones depends on battery to work.
- Smartphones can easily break
- Thieves like to target shiny smartphones
- The SIM card can be cloned (via social hacking... Telecom transfer your calls/SMS to a new phone/SIM card without a correct background checks).
- If you lose your smartphone good luck trying to access accounts that use Google Authenticator (GA don't have backup option, it's tied to the phone).
What is U2F?
As known as FIDO-U2F, it's an authentication standard used in a physical hardware security keys.
There are many standards out there from different organizations e.g.:
- FIDO-U2F (Universal 2nd Factor)*
- OATH-TOTP (Time-based One-time Password)** e.g.: by Google/Microsoft Authenticator
- OATH-HOTP (HMAC-based One-time Password)
- Yubico OTP (One-Time Password)***
* FIDO = FIDO(Fast IDentity Online) Alliance, industry consortium responsible for two authentication standards: U2F and FIDO2.
** OATH = Initiative for Open Authentication is an organization that specifies two open authentication standards: TOTP and HOTP.
*** Yubico = business that created his own standard, and popularized the use of security keys.
Password Managers Extension/Addon
The purpose of a password manager is to organize your passwords in a single place. The main advantage of a manager is to create UNIQUE password for each site without the need to remember them. You just memorize a single Master Password that lock/unlock the application and the process to create and few login form is done automatically.
There are many extensions available. But what we are looking for is extensions that use U2F keys to add extra security. Most services seems to offer security key option only to premium package.
Use U2F security key
- Bitwarden ($10/year) - it has a free version without security key feature
- Dashlane ($40/year)
- Keeper ($60 for 2 years)
Use Yubico OTP keys
- LastPass ($36/year) - it has a free version without security key feature
- 1Password ($36/year)
I don't recommend these password managers because they lack support for U2F keys. They only accept Yubico OTP(One Time Password) as security key. (Rant: For years, we paid users requested for implementation of FIDO-U2F but nothing has being done so far about it). More and more sites are implementing U2F standard as security key device.
Depends of your yubikey version, according to Yubico website, you can use multiple protocols at same time. But I don't have much knowledge about this feature because I don't have this key version (I'm accepting donation, Amazon doesn't send yubikey to my country lol).
How the login process will work?
You will need just do an extra step in a normal login process:
1 - type your login and password
2 - program/site ask for the key: Insert key in the USB port and press the button in the key ___ OR ___ put the key next to your smartphone NFC sensor (caveat: you need to use Yubikey OTP for the NFC if you want to use the native APP)
3 - you are in.
Password manager & Security Key
Something you need to understand about password managers is that the security key is NOT used to encrypt the passwords. The only purpose of security key is to tell Bitwarden/Dashlane/Keeper/LastPass/1Password, that you are the owner of that account and they will let you download a encrypted file to your computer. In your computer, using the Master Password the actual job of decryption of the file (where your passwords are stored) happens.
It's your Master Password that secure your passwords, not your security key. Make sure your master password is really strong! If someone hack the service provider server and get the encrypted file, the master password is the last line of defense.
Where to Buy?
USB
https://www.amazon.com/Yubico-Security-Key-USB-Authentication/dp/B07BYSB7FK/ (U2F, FIDO2) $20
https://www.yubico.com/product/security-key-by-yubico/ (U2F, FIDO2) $20
USB + NFC
https://www.amazon.com/dp/B07M8YBWQZ (U2F, FIDO2) $27
https://www.yubico.com/product/security-key-nfc-by-yubico/ (U2F, FIDO2) $27
https://www.yubico.com/product/yubikey-5-nfc/ (U2F, FIDO2, Smart card, Yubico OTP and more) $45
https://www.amazon.com/Feitian-ePass-NFC-FIDO-Security/dp/B01M1R5LRD/ (U2F) $17
KIT
https://store.google.com/product/titan_security_key_kit (2 keys) $50
1st key: U2F (USB + NFC)
2nd key: U2F (Bluetooth*, NFC and USB**)
* bluetooth is required to make it work with iphone, ipad (android devices without NFC or USB can probable work via bluetooth but I never tested)
** you need to plug the USB cable provided to charge the device
Yubikey from Yubico
I personally recommend you to buy keys that support FIDO2 because FIDO2 is backwards-compatible with services that use U2F as 2nd factor.
Yubikey 5 series is FIDO2 compatible. Earlier versions, 4 series or NEO, are only U2F compatible, so pay attention to this fact when buying.
Google Titan & Feitian
A Google Titan key is just a re-branded Feitian key with a custom firmware.
- http://www.hexview.com/~scl/titan/
If this make any difference to you
Feitian: Chinese company
Yubikey: American company
U2F & FIDO2
U2F = FIDO-U2F
Google and Yubico developed the U2F (Universal 2nd Factor) standard together. Later they donated the code to the FIDO Alliance and U2F is now known as FIDO-U2F.
FIDO2
FIDO2 is the passwordless evolution of FIDO-U2F.
In the FIDO-U2F scenario, you usually need "username + password + security key" to login.
In FIDO2, you could use the key in 3 different ways:
- single factor (aka passwordless): just the security key to login, no username or password are required.
- 2nd factor: username + password + security key. The most common use.
- multi-factor: security key + PIN or bio-metric
It's all depends how the site/program implementing it. Most services probable will just use it as 2nd factor authenticator.
An example of single factor authenticator (no username/pass, just key) is available on Windows 10 (feature named: Windows Hello, US only, not works with yubikey 5 series).
* Why?
The answer is kinda long, bear with me.
Years ago... when U2F was created it was first implemented into Chrome by installing a hidden extension inside the browser.
Using custom javascript library a website could communicate between key and browser using that hidden extension. It's like in the old days when a site only worked with Internet Explorer... the same sad story. Firefox has "support" hidden because its a hack to partially try to support U2F.
Today.
World Wide Web Consortium (W3C) with help from FIDO Alliance created a new standard called WebAuthn API and 3 major players (Chrome, Firefox, and Edge) are backing to include it in their browsers by default. Sometime in the future all websites that still use the U2F hidden extension inside Chrome will move to use WebAuthn in their javascript code and your U2F key will finally work without this hack.
** At this moment, you probable need Chrome to register u2f keys into your accounts in most sites (password manager/google/github etc) because they still use the old U2F API (hidden chrome extension hack). Let's hope these websites update their site/code and start using WebAuthn.
- https://support.yubico.com/support/...17511-enabling-u2f-support-in-mozilla-firefox
- https://www.imperialviolet.org/2018/03/27/webauthn.html
- https://en.wikipedia.org/wiki/WebAuthn
- https://www.microsoft.com/en-us/mic...uthn-reaches-candidate-recommendation-status/
Security considerations about Recovery Options
Let's take google/gmail account as example.
To create an google account you used a phone number and maybe an e-mail address. By default these will be used as recovery options to regain access to an account in case you lose the password. But each "recovery option" is an entry point for attack. SIM card in your smartphone can be cloned and the recovery e-mail linked to your account can be hacked too.
So... It's recommended that you remove your recovery phone number and recovery e-mail address from your account. Make sure to print the emergency access codes and put in your safe.
- https://support.google.com/accounts/answer/183723
Take your time to check what are the recovery options you select to any site or service, include password managers.
In this case only security key & backup codes are accepted as secundary factor.
Last words
I repeat: Please buy at least 2 security keys. If you lose one, you can still use the 2nd registered key to access your data.
If you lose a key, remember to login to your password manager and e-mails accounts to remove the lost key from authorized keys to access the account.
Links
- https://twofactorauth.org/ List of sites that offer two factor authentication.
FAQ
Q: What password manager and key, are you using?
A: At this moment I'm using Bitwarden and Yubico Security Key NFC (U2F,FIDO2 - USB/NFC) and Feitian ePass (U2F - USB/NFC)
Q: I can't use my yubikey with bitwarden. Why?
A: If you using Chrome. Probable you tried to register your U2F key in the wrong place. The Yubico option is referring to Yubikey "OTP"(One Time Password) key. A different protocol. You should select "FIDO U2F Security Key" option.
-----------------------
version: 2019-05-28
Steps to secure your digital life with Password Manager and Security Key
TLDR
1 - buy 2 (TWO!!!) security keys compatible with FIDO U2F to secure your password manager and email accounts using 2nd factor authentication. You earn extra bonus points for NFC capability so you can use it with your smartphone.
2 - install a password manager extension/addon in your browser
3 - register* both keys into password manager
3a - register* both keys into e-mail account
4 - print Recovery Codes to e-mail account and the password manager
5 - place 1 security key + printed Recovery Codes (inside ziploc bag) into the safe
6 - use the other security key in your daily life
* Some sites, couch couch Google, requires you to use Chrome
Why use a Password Manager?
You often read in news about a new data breach where personal info of thousands or millions users are being exposed/stolen. If you have registered in one of these sites there is a good change your username, email and password got exposed.
Depending of safeguards implemented by each site, your password could be easily exposed as plain text. A malicious person could use that password and try gain access other accounts under your username/email. If you use the same password in others site you are screwed big time.
So it's paramount to give each site an unique password. It's just impossible to keep track of dozens or hundred unique different passwords. To help to solve this problem Password Managers (PM) are the best solution to help you create unique passwords and organize them in a single place.
The natural choice for a PM is to be extension/addon of the web browser because mostly likely you want to keep track of online accounts.
Another interesting feature of PM as extension/addon is protection against phishing (fake sites) because the PM would verify if any password is associate with site you are visiting. If the site address don't match, the auto-fill option would be available. Humans can be deceived to think the current login form is from one site but a password manager won't fall for that so easily e.g https://www.youtube.com/watch?v=nq1gnvYC144 So watch out if your PM don't fill a form for you!
One weakness of PM extensions/addon are to be online, so an attack can come from anywhere in the world against the service provider. The importance to add an extra layer of defense, beyond just a login and password, can't not be overstated. Here enter the two-factor authentication.
- https://en.wikipedia.org/wiki/List_of_data_breaches
What is Two Factor Authentication?
Sometimes also known as Two-Step authentication, it's the use of extra element/step to authenticate into a system. Beyond your usual username and password, the system/site will require a 2nd element/authenticator to identify you. And in our case here we are focusing on a physical device (security key).
Other examples of 2nd factor authenticators: code generated by the Google Authenticator (TOTP), code sent to e-mail or cellphone via SMS.
- https://www.youtube.com/watch?v=v-GvJJEG9sw
- https://www.youtube.com/watch?v=NEDeL3Q4WvI
Why a security key and not other alternatives?
SMS & Apps on Smartphone:
- Smartphones depends on battery to work.
- Smartphones can easily break
- Thieves like to target shiny smartphones
- The SIM card can be cloned (via social hacking... Telecom transfer your calls/SMS to a new phone/SIM card without a correct background checks).
- If you lose your smartphone good luck trying to access accounts that use Google Authenticator (GA don't have backup option, it's tied to the phone).
What is U2F?
As known as FIDO-U2F, it's an authentication standard used in a physical hardware security keys.
There are many standards out there from different organizations e.g.:
- FIDO-U2F (Universal 2nd Factor)*
- OATH-TOTP (Time-based One-time Password)** e.g.: by Google/Microsoft Authenticator
- OATH-HOTP (HMAC-based One-time Password)
- Yubico OTP (One-Time Password)***
* FIDO = FIDO(Fast IDentity Online) Alliance, industry consortium responsible for two authentication standards: U2F and FIDO2.
** OATH = Initiative for Open Authentication is an organization that specifies two open authentication standards: TOTP and HOTP.
*** Yubico = business that created his own standard, and popularized the use of security keys.
Password Managers Extension/Addon
The purpose of a password manager is to organize your passwords in a single place. The main advantage of a manager is to create UNIQUE password for each site without the need to remember them. You just memorize a single Master Password that lock/unlock the application and the process to create and few login form is done automatically.
There are many extensions available. But what we are looking for is extensions that use U2F keys to add extra security. Most services seems to offer security key option only to premium package.
Use U2F security key
- Bitwarden ($10/year) - it has a free version without security key feature
- Dashlane ($40/year)
- Keeper ($60 for 2 years)
Use Yubico OTP keys
- LastPass ($36/year) - it has a free version without security key feature
- 1Password ($36/year)
I don't recommend these password managers because they lack support for U2F keys. They only accept Yubico OTP(One Time Password) as security key. (Rant: For years, we paid users requested for implementation of FIDO-U2F but nothing has being done so far about it). More and more sites are implementing U2F standard as security key device.
Depends of your yubikey version, according to Yubico website, you can use multiple protocols at same time. But I don't have much knowledge about this feature because I don't have this key version (I'm accepting donation, Amazon doesn't send yubikey to my country lol).
How the login process will work?
You will need just do an extra step in a normal login process:
1 - type your login and password
2 - program/site ask for the key: Insert key in the USB port and press the button in the key ___ OR ___ put the key next to your smartphone NFC sensor (caveat: you need to use Yubikey OTP for the NFC if you want to use the native APP)
3 - you are in.
Password manager & Security Key
Something you need to understand about password managers is that the security key is NOT used to encrypt the passwords. The only purpose of security key is to tell Bitwarden/Dashlane/Keeper/LastPass/1Password, that you are the owner of that account and they will let you download a encrypted file to your computer. In your computer, using the Master Password the actual job of decryption of the file (where your passwords are stored) happens.
It's your Master Password that secure your passwords, not your security key. Make sure your master password is really strong! If someone hack the service provider server and get the encrypted file, the master password is the last line of defense.
Where to Buy?
USB
https://www.amazon.com/Yubico-Security-Key-USB-Authentication/dp/B07BYSB7FK/ (U2F, FIDO2) $20
https://www.yubico.com/product/security-key-by-yubico/ (U2F, FIDO2) $20
USB + NFC
https://www.amazon.com/dp/B07M8YBWQZ (U2F, FIDO2) $27
https://www.yubico.com/product/security-key-nfc-by-yubico/ (U2F, FIDO2) $27
https://www.yubico.com/product/yubikey-5-nfc/ (U2F, FIDO2, Smart card, Yubico OTP and more) $45
https://www.amazon.com/Feitian-ePass-NFC-FIDO-Security/dp/B01M1R5LRD/ (U2F) $17
KIT
https://store.google.com/product/titan_security_key_kit (2 keys) $50
1st key: U2F (USB + NFC)
2nd key: U2F (Bluetooth*, NFC and USB**)
* bluetooth is required to make it work with iphone, ipad (android devices without NFC or USB can probable work via bluetooth but I never tested)
** you need to plug the USB cable provided to charge the device
Yubikey from Yubico
I personally recommend you to buy keys that support FIDO2 because FIDO2 is backwards-compatible with services that use U2F as 2nd factor.
Yubikey 5 series is FIDO2 compatible. Earlier versions, 4 series or NEO, are only U2F compatible, so pay attention to this fact when buying.
Google Titan & Feitian
A Google Titan key is just a re-branded Feitian key with a custom firmware.
- http://www.hexview.com/~scl/titan/
If this make any difference to you
Feitian: Chinese company
Yubikey: American company
U2F & FIDO2
U2F = FIDO-U2F
Google and Yubico developed the U2F (Universal 2nd Factor) standard together. Later they donated the code to the FIDO Alliance and U2F is now known as FIDO-U2F.
FIDO2
FIDO2 is the passwordless evolution of FIDO-U2F.
In the FIDO-U2F scenario, you usually need "username + password + security key" to login.
In FIDO2, you could use the key in 3 different ways:
- single factor (aka passwordless): just the security key to login, no username or password are required.
- 2nd factor: username + password + security key. The most common use.
- multi-factor: security key + PIN or bio-metric
It's all depends how the site/program implementing it. Most services probable will just use it as 2nd factor authenticator.
An example of single factor authenticator (no username/pass, just key) is available on Windows 10 (feature named: Windows Hello, US only, not works with yubikey 5 series).
* Why?
The answer is kinda long, bear with me.
Years ago... when U2F was created it was first implemented into Chrome by installing a hidden extension inside the browser.
Using custom javascript library a website could communicate between key and browser using that hidden extension. It's like in the old days when a site only worked with Internet Explorer... the same sad story. Firefox has "support" hidden because its a hack to partially try to support U2F.
Today.
World Wide Web Consortium (W3C) with help from FIDO Alliance created a new standard called WebAuthn API and 3 major players (Chrome, Firefox, and Edge) are backing to include it in their browsers by default. Sometime in the future all websites that still use the U2F hidden extension inside Chrome will move to use WebAuthn in their javascript code and your U2F key will finally work without this hack.
** At this moment, you probable need Chrome to register u2f keys into your accounts in most sites (password manager/google/github etc) because they still use the old U2F API (hidden chrome extension hack). Let's hope these websites update their site/code and start using WebAuthn.
- https://support.yubico.com/support/...17511-enabling-u2f-support-in-mozilla-firefox
- https://www.imperialviolet.org/2018/03/27/webauthn.html
- https://en.wikipedia.org/wiki/WebAuthn
- https://www.microsoft.com/en-us/mic...uthn-reaches-candidate-recommendation-status/
Security considerations about Recovery Options
Let's take google/gmail account as example.
To create an google account you used a phone number and maybe an e-mail address. By default these will be used as recovery options to regain access to an account in case you lose the password. But each "recovery option" is an entry point for attack. SIM card in your smartphone can be cloned and the recovery e-mail linked to your account can be hacked too.
So... It's recommended that you remove your recovery phone number and recovery e-mail address from your account. Make sure to print the emergency access codes and put in your safe.
- https://support.google.com/accounts/answer/183723
Take your time to check what are the recovery options you select to any site or service, include password managers.
In this case only security key & backup codes are accepted as secundary factor.
Last words
I repeat: Please buy at least 2 security keys. If you lose one, you can still use the 2nd registered key to access your data.
If you lose a key, remember to login to your password manager and e-mails accounts to remove the lost key from authorized keys to access the account.
Links
- https://twofactorauth.org/ List of sites that offer two factor authentication.
FAQ
Q: What password manager and key, are you using?
A: At this moment I'm using Bitwarden and Yubico Security Key NFC (U2F,FIDO2 - USB/NFC) and Feitian ePass (U2F - USB/NFC)
Q: I can't use my yubikey with bitwarden. Why?
A: If you using Chrome. Probable you tried to register your U2F key in the wrong place. The Yubico option is referring to Yubikey "OTP"(One Time Password) key. A different protocol. You should select "FIDO U2F Security Key" option.
Last edited: