Yubikey - Is It Worth It?
Have you ever heard somebody say they were uncomfortable because they felt too secure? No, you haven’t.
I personally think of security as something that can free my mind, or at least, set it at ease. We all have those “What would happen if” moments, and I like to think I have those far too often. Am I just being too pessimist? Probably, I guess you could even say that I’m paranoid when it comes to passwords.
One of my password was leaked when I was younger, or rather, a game I had signed up on which couldn’t bother to hash passwords, got hacked and the database dump was released to the public. While I had a couple of different passwords and it was the most trivial of my password that had been leaked, I still had accumulated dozens of accounts under the same password. I changed that password on all accounts concerned, but clearly, things could have turned out worse. Fast-forward 10 years, we now have password managers to help us prevent situations like these from happening.
Password managers are absolutely wonderful. They allow you to generate long passwords with a combination of whatever you desire: lowercase and uppercase letters, numbers, special characters, even the length.
By far, my favorite password manager is KeePass. Not only is it free, it’s open source. Open source software are the safest you’ll ever find, because they’re open to the public, and you can make sure yourself that you’re using a software you can entrust your passwords to.
A password manager, as you might have guessed, manages password. That way, you don’t have to write down your passwords somewhere unsafe, and you don’t have to bother remembering dozens and dozens of different passwords, thus opening the door to using obnoxiously secure passwords that are way too long.
In other words, even if one of the websites you visit is hacked, and surprise surprise, they thought it was a good idea to store your password in plaintext, only that password will have been exposed, leaving all of your other accounts safe from harm. That’s definitely a huge leap from using one password for all your accounts.
There’s just one problem with using password managers: You still need a main password.
It’s not that much of a problem – remembering one password is clearly easier than remembering 300 completely randomized strong passwords – but if somehow, somebody gains access to your computer and manages to unlock your password manager, you are so f****d.
So your main passwords has to be secure, but it can’t be too hard, because if you forget it, you won’t be able
to find a Forgot your password? button on an offline password manager; you just lose all your passwords
with no way of recovering them. Security is sometimes a double-edged sword, as many password managers implement
key transformation, which transforms the key using a key derivation function (KDF) like Argon2 and AES-KDF,
to make brute forcing significantly slower. On one hand, it protects your password database from being hacked,
but on the other hand, you’ll have to face the same issue if you forget your password.
But there is an alternative, an alternative that will allow you to use a more easy-to-remember password while attaining an even higher degree of security.
Yubikey
The introduction of multi-factor authentication (MFA) was amazing to me, even more so the recent announcement about the successor of FIDO U2F, FIDO2.
I am the owner of two Yubikey 4 NFC, and using KeePass with a password as well as a Yubikey as second factor authentication has allowed me to feel at ease, since I know that even if I released my KeePass password database online, cracking it would be near impossible.
With over 300 services that supports Yubikey, including:
- AWS
- Dropbox
- Docker
- GitHub
- KeePass
It must be worth it, right?
Yes and no.
U2F adds a significant layer of security to the services you use it with, but while there are a lot of services that support U2F, the ones that really should don’t. There are barely, if any banks that support U2F. Even Paypal doesn’t support it. In a couple of years, I’m sure a lot more services will support Yubikey, considering that Yubico, the company that makes Yubikeys, is gaining a lot of momentum and popularity, but that’s still something to consider.
One of the biggest pros of U2F is the fact that it’s hardware, and cannot be stolen (though the secret certificates and keys generated when you first configure your U2F key can be stolen if they’re not stored somewhere safe).
Its biggest pro is also its biggest con: What if you lose it?
That’s why you can’t just own 1 Yubikey, you need a pair, so that if you lose one or it gets stolen, you can still access whatever services concerned and take appropriate measures.
You might be wondering,
What are the odds of losing a Yubikey anyways?
Much higher than you’d think, since if you want to access your Dropbox or your GitHub account at work or at school, you need to carry your Yubikey with you, which significantly bumps the odds of losing it.
I haven’t personally interacted with a Yubikey from the series 5 yet and there doesn’t appear to be any service that support FIDO2/passwordless, but this is also a huge flaw in the marketing of FIDO2. Not having to remember passwords is great, but if somebody gets a hold on your key, doesn’t that mean they also have access to all your accounts?
That’s one of the main reasons why I think FIDO2 won’t be embraced by companies as soon as they make it seem.
Regardless, Yubico, the company behind Yubikey, is gaining a lot of popularity. More so to the point, the popularity of U2F appears to be tied to that of Yubikey’s, as can be seen in the following graph extracted from Google Trends:
Also, it’s very obvious that the popularity of U2F skyrockets when Yubico releases a new product. Since many services pester its users to configure MFA (multi factor authentication), it isn’t surprising to see this increasing interest in U2F.
Conclusion
That being said, I think owning 1 2 Yubikeys is worth it.
Many core components of our society, such as banking and shopping, can now be done exclusively online. While convenient, the more we rely on Internet, the more we put ourselves at risk. Even the most experienced of us can fall for a phishing website if he/she didn’t get enough sleep last night. However, with the help of a Yubikey, only his password would be exposed while his account would remain inaccessible to the phisher, giving you time to change your password and learn from your mistake.
Regardless, if $100 is all it takes to save me the trouble of calling the phone number at the back of my debit card to report fraud and have my debit card canceled as well as a new one sent to me, I’ll gladly pay that small fee.