A grumpy look at using a Yubico Neo NFC on Ubuntu & Android


Twenty One. I have 21 accounts which use Two-Factor Authentication. I use the Authy app to manage them all, but it is still a pain to scroll through and find the exact 2FA token I need.

Encouraged by my friend Tom Morris's blog post, I picked up a YubiKey NEO for £50. It implements the FIDO U2F standard.

Sadly, the YubiKey is substandard and frustrating to use. Here's what I found.

YubiKey Neo - a thumb sized USB device - on cardboard backing

First impressions count for a lot - and it is pretty disappointing. What you see in my fingers is literally all Amazon sent me. A fob and a bit of card. No instructions, no welcome pack, no getting started guide. What does the circle do? How do I use it with Android?

The plastic is cheap and doesn't look like it would survive in a pocket full of keys. In short, it looks like a freebie USB stick - not an expensive piece of security hardware.

OK, let's get started!

Linux Set Up

Do I need to do anything special to get it working on Ubuntu? Who knows - the Yubico pages literally just point to StackOverflow.

A quick lsusb shows ID 1050:0116 Yubico.com Yubikey NEO(-N) OTP+U2F+CCID - so it seems to be detected correctly. So that should be fine, right?

When I push the button on the YubiKey, it spits out a 44 character password - all lower case characters. It's the same every time. Shouldn't this be unique, like a normal one-time code?

Firefox Woes

Fine, let's follow the steps needed to set up Facebook with a security key.

An error message saying that Firefox doesn't support Yubico

Ah... Turns out that U2F support will be coming to Firefox in Version 57 which is scheduled for release in mid-November.

Chrome Test

OK, let's switch my browser to Chrome temporarily. That Firefox page alerted me to Yubico's demo server at https://demo.yubico.com/ (which isn't linked from anywhere on their main site). With that I was able to confirm that the key worked. I guess. I touched the button on the key, it autotyped the password and I was logged in. Yay?

I don't really understand what I did or why it worked.

GitHub

The GitHub help pages give a range of scary warnings about setting up 2FA.

There are 12 steps to setting up a U2F. Step one is setting up 2FA via an app - which is a 10 step process.

The short version is:

  1. Go to https://github.com/settings/two_factor_authentication/configure
  2. Give the key a name.
  3. Press the button on the key.

That's it! Pretty simple.

After logging in with a username and password, you get this screen:

GitHub screenshot "Insert your security key Press the button on your security key device to finish signing in. If it does not have a button, just re-insert it."

I pressed the button and IT WORKED!

Android

OK, so this key has NFC and therefore should work with Android. But how? There's nothing on the Yubico website.

I held the Neo against my phone, and it popped open the default web browser.
A screenshot of an Android phone. The web browser congratulates me for setting up my Key

I don't understand what this screen is telling me. Apparently I have been "successfully authenticated" - but with what? I haven't typed in a password or given a user name.

That serial and identity - should I keep them safe? Private? Are they dangerous if they get leaked? Do I need them backed up?

Oh, great, yet another app I have to install, configure, and update.

The app

The app is also substandard. The Android version only supports American and German keyboards.

YubiKey app - has very few options, looks boring

The company encourages you to contribute new layouts to their open source project. But it, like the app, hasn't been updated since 2015!

Back to GitHub

So I tried GitHub via the Chrome browser on Android.
Github website showing an error message

Nope. Just wouldn't work. I held the key to the phone, the app copied the 44 character password, I manually pasted it in. And I got this error, repeatedly. My 2FA codes from Authy worked fine.

I don't know how to fix that.

The other app

There is another app! It isn't linked to from the default page you get when you hold the Neo against the phone. That would be too easy, apparently. After clicking around on the Google Play store, I found Yubico Authenticator

Yubico Authenticator allows you to use a YubiKey NEO to store OATH credentials (TOTP and HOTP supported, as used by Google, Microsoft, Dropbox, Amazon and many more) used for 2-factor authentication.

Aha! I think this is what I need. And it has been updated recently. Well, May 2017.

Again, it is as ugly as the last app. Compare it to Authy which uses icons to help you find the code you need, strong colours to remind you which service you're using, and large numbers to help when copy-typing.

Authy app is delightful to use, Yubico looks grim

Which of those apps would you rather use every day?

There's no way to copy credentials from another service - so I had to manually set up all 21 accounts again. That was a fun way to spend an afternoon.

  1. Scan the QR code of the service.
  2. Give it a memorable name.
  3. Tap the YubiKey to your phone to store the token.
  4. Repeat.

To get tokens out:

  1. Tap the YubiKey to the phone.
  2. The Authenticator opens up.
  3. Scroll to find your code (hard without icons or colours as a guide).
  4. Tap a tiny square to copy the code.
  5. Swap back to your app and paste it in.

Honestly, I thought I'd be at the login screen of the app, then just have to tap the YubiKey to the phone and have it do it automatically.

Why did I think that? Because that's what the website promises!

For NFC-enabled Android phones, the YubiKey NEO allows you to just tap the key against the phone to complete authentication.

LastPass

I use LastPass to manage all my passwords. If I want to use U2F with it, I need to pay them $2 a month for their premium product. LastPass is the only company I'm aware of who charge extra to enable security features.

But I can still use the YubiKey code generator app. Just not the key itself...?

I AM SO CONFUSED!

PGP

I'm one of those daft people with a PGP key in active use. I set it up four years ago as a 4096 bit RSA key. This fifty-quid hunk-of-junk can only handle 2048 bit keys, like it is from the stone age. Why? Who knows.

If you can be bothered, you can generate yet another PGP key and store it on the device. There are no official apps to do this on Android, so you'll need to find yet another third party app to trust. I used OpenKeyChain.

Of course, if you lose the physical hardware you lose the key. There's no obvious way to extract the private key from the YubiKey. I mean, there may be a way - but good luck finding clear documentation.

What's the point?

I get security. I understand the benefits of 2FA. But I struggle with the YubiKey. It's a pain to set up and a pain to use. The apps are outdated, ugly, and underwhelming.

I had thought that this would be a "single use" solution - but it isn't. On a laptop I have to plug it in and touch the button, on Android I have to use NFC to open the app, find the right account, tap to copy, then paste the code manually.

There's no step-by-step guide for new users. It's all trial and error.

For fifty quid, I could buy a cheap Android phone and use Authy for free.

The kicker? When it is plugged into a laptop, a green LED flashes constantly. Urgh.

If you want normal people to adopt security best practices, the experiences need to be easy to use and beautiful. The YubiKey is hard and ugly. Which is a great shame.

5 thoughts on “A grumpy look at using a Yubico Neo NFC on Ubuntu & Android

  1. I'm currently trying to set up 2FA full disk encryption using Yubikeys and LUKS. Having bought a blue Yubikey, and done a lot of reading and experimentation, I finally discover that the blue version only supports U2F, not OTP as required by yubikey-luks. It would have been good to know that before spending money. In theory the information was available in advance, but it really wasn't very easy to find.

  2. Here's a bit more thorough version of the comments I made on Twitter.

    There are a few misunderstandings in this post, which perhaps stem from poor documentation on Yubico’s behalf.

    The NEO has a few default modes (OTP, U2F) and then programmable modes through a JavaCard interface (e.g. PGP).

    One of these modes (Yubico OTP), which is what you encountered with the 44 character code, does actually generate unique codes. It's a bit deceiving because the first 12 chars aren’t as they ID your key. The remaining 32 characters are cryptographically signed counters that protect against replay attacks. Yubico have information on how this mode works at https://developers.yubico.com/OTP/OTPs_Explained.html It’s a completely proprietary 2FA method that relies on asking Yubico’s server (or an external server that has a copy of the Yubikey's crypto keys) if a key is valid.

    You can also use TOTP with a Yubikey but it's a bit tricky because it doesn’t have a clock/battery. TOTP relies on using the current timestamp to generate a code, so you need a helper app to supply current time to the Yubikey.

    U2F solves these two pain points (plus phishing) by having all the comms built into the browser, but support is very new and scarce. Hopefully it will grow in popularity and eliminate some of this complexity.

    It’s definitely way more durable than you’d think (I carry my Yubikey on my keys) and it's highly configurable (so the persistent LED + modes you don’t use can be disabled). https://www.yubico.com/products/services-software/personalization-tools/use/

    I guess this is why they point to the no-frills U2F only key? Everything is self-configured with U2F so you don't have to worry about any of these different modes/settings/helper apps.

    1. Good to know it is more durable. Your comment is the first time I've heard about the Linux configuration tool - that would have been a helpful thing to have in an onboarding process.

  3. It looks like you would benefit greatly from reading the Yubikey manual, which explains the OTP authentication process.

    The Yubikey works very well at what it does. I have been using mine for OTPs, OATH, U2F, and PGP for about 3 years. It seems that the issue here is that you purchased something you don't understand. I hardly see how that is Yubico's fault...

    1. Hi Morgan. As I said in the 4th paragraph, the Yubikey doesn't come with a manual. At the time I wrote this blog post, the website was a mess of contradictory information.
      I purchased it thinking I could authenticate by tapping it against my phone - as their advert promised. I hardly see how that is my fault...

Leave a Reply

Your email address will not be published. Required fields are marked *