Twenty One. I have 21 accounts which use Two-Factor Authentication. I use the Authy app to manage them all, but it is still a pain to scroll through and find the exact 2FA token I need.
Sadly, the YubiKey is substandard and frustrating to use. Here's what I found.
First impressions count for a lot - and it is pretty disappointing. What you see in my fingers is literally all Amazon sent me. A fob and a bit of card. No instructions, no welcome pack, no getting started guide. What does the circle do? How do I use it with Android?
The plastic is cheap and doesn't look like it would survive in a pocket full of keys. In short, it looks like a freebie USB stick - not an expensive piece of security hardware.
OK, let's get started!
Linux Set Up
Do I need to do anything special to get it working on Ubuntu? Who knows - the Yubico pages literally just point to StackOverflow.
ID 1050:0116 Yubico.com Yubikey NEO(-N) OTP+U2F+CCID - so it seems to be detected correctly. So that should be fine, right?
When I push the button on the YubiKey, it spits out a 44 character password - all lower case characters. It's the same every time. Shouldn't this be unique, like a normal one-time code?
Fine, let's follow the steps needed to set up Facebook with a security key.
Ah... Turns out that U2F support will be coming to Firefox in Version 57 which is scheduled for release in mid-November.
OK, let's switch my browser to Chrome temporarily. That Firefox page alerted me to Yubico's demo server at https://demo.yubico.com/ (which isn't linked from anywhere on their main site). With that I was able to confirm that the key worked. I guess. I touched the button on the key, it autotyped the password and I was logged in. Yay?
I don't really understand what I did or why it worked.
The GitHub help pages give a range of scary warnings about setting up 2FA.
There are 12 steps to setting up a U2F. Step one is setting up 2FA via an app - which is a 10 step process.
The short version is:
- Go to https://github.com/settings/two_factor_authentication/configure
- Give the key a name.
- Press the button on the key.
That's it! Pretty simple.
After logging in with a username and password, you get this screen:
I pressed the button and IT WORKED!
OK, so this key has NFC and therefore should work with Android. But how? There's nothing on the Yubico website.
I held the Neo against my phone, and it popped open the default web browser.
I don't understand what this screen is telling me. Apparently I have been "successfully authenticated" - but with what? I haven't typed in a password or given a user name.
identity - should I keep them safe? Private? Are they dangerous if they get leaked? Do I need them backed up?
Oh, great, yet another app I have to install, configure, and update.
The app is also substandard. The Android version only supports American and German keyboards.
The company encourages you to contribute new layouts to their open source project. But it, like the app, hasn't been updated since 2015!
Back to GitHub
So I tried GitHub via the Chrome browser on Android.
Nope. Just wouldn't work. I held the key to the phone, the app copied the 44 character password, I manually pasted it in. And I got this error, repeatedly. My 2FA codes from Authy worked fine.
I don't know how to fix that.
The other app
There is another app! It isn't linked to from the default page you get when you hold the Neo against the phone. That would be too easy, apparently. After clicking around on the Google Play store, I found Yubico Authenticator
Yubico Authenticator allows you to use a YubiKey NEO to store OATH credentials (TOTP and HOTP supported, as used by Google, Microsoft, Dropbox, Amazon and many more) used for 2-factor authentication.
Aha! I think this is what I need. And it has been updated recently. Well, May 2017.
Again, it is as ugly as the last app. Compare it to Authy which uses icons to help you find the code you need, strong colours to remind you which service you're using, and large numbers to help when copy-typing.
Which of those apps would you rather use every day?
There's no way to copy credentials from another service - so I had to manually set up all 21 accounts again. That was a fun way to spend an afternoon.
- Scan the QR code of the service.
- Give it a memorable name.
- Tap the YubiKey to your phone to store the token.
To get tokens out:
- Tap the YubiKey to the phone.
- The Authenticator opens up.
- Scroll to find your code (hard without icons or colours as a guide).
- Tap a tiny square to copy the code.
- Swap back to your app and paste it in.
Honestly, I thought I'd be at the login screen of the app, then just have to tap the YubiKey to the phone and have it do it automatically.
Why did I think that? Because that's what the website promises!
I use LastPass to manage all my passwords. If I want to use U2F with it, I need to pay them $2 a month for their premium product. LastPass is the only company I'm aware of who charge extra to enable security features.
But I can still use the YubiKey code generator app. Just not the key itself...?
I AM SO CONFUSED!
I'm one of those daft people with a PGP key in active use. I set it up four years ago as a 4096 bit RSA key. This fifty-quid hunk-of-junk can only handle 2048 bit keys, like it is from the stone age. Why? Who knows.
If you can be bothered, you can generate yet another PGP key and store it on the device. There are no official apps to do this on Android, so you'll need to find yet another third party app to trust. I used OpenKeyChain.
Of course, if you lose the physical hardware you lose the key. There's no obvious way to extract the private key from the YubiKey. I mean, there may be a way - but good luck finding clear documentation.
What's the point?
I get security. I understand the benefits of 2FA. But I struggle with the YubiKey. It's a pain to set up and a pain to use. The apps are outdated, ugly, and underwhelming.
I had thought that this would be a "single use" solution - but it isn't. On a laptop I have to plug it in and touch the button, on Android I have to use NFC to open the app, find the right account, tap to copy, then paste the code manually.
There's no step-by-step guide for new users. It's all trial and error.
For fifty quid, I could buy a cheap Android phone and use Authy for free.
The kicker? When it is plugged into a laptop, a green LED flashes constantly. Urgh.
If you want normal people to adopt security best practices, the experiences need to be easy to use and beautiful. The YubiKey is hard and ugly. Which is a great shame.