[HN Gopher] Passwordless Logins with Yubikey
___________________________________________________________________
Passwordless Logins with Yubikey
Author : adl1995
Score : 62 points
Date : 2021-02-17 17:59 UTC (3 hours ago)
(HTM) web link (adl1995.github.io)
(TXT) w3m dump (adl1995.github.io)
| mabbo wrote:
| True security is using both "something you know" and "something
| you have". Something you have can be stolen, and something you
| know can be tricked out of you. But stealing _both_ is difficult
| and far more obvious.
|
| To login to my work VPN, the password is "<my pin><output from
| the yubikey>". Our SSO system requires both once per day as well.
|
| It's a great system and I highly recommend it.
| aborsy wrote:
| Do you use Pass to get out the VPN password?
|
| I like that set up, even though that's a password manager and
| not like an ssh key held on Yubikey.
| v7p1Qbt1im wrote:
| Ideally something you ,,are" as well. Though in practice this
| might be overkill for most.
|
| I believe there's a new biometric yubikey in the works. A
| fingerprint version of the 5C NFC would be cool.
| ta89489544 wrote:
| I get the sense that biometrics are not very future proof.
| People leave fingerprints and DNA on everything they touch
| and faces and eyes are seen by cameras all the time.
| Biometrics work now, but in the near future I suspect the
| technology to take images of peoples faces/fingerprints and
| reproduce their likeness to fool a biometric sensor will be a
| commodity. Once that happens biometrics will be near useless
| because you essentially have no way to respond to leaked
| biometric data, it can't be changed.
| JamesSwift wrote:
| How does that password scheme even work unless the plaintext
| pin is being stored somewhere?
| LordDragonfang wrote:
| The system knows how long a yubikey string is and can easily
| discard that part before hashing.
| biosed wrote:
| Amazon?
| athorax wrote:
| We use the AnyConnect VPN client which allows for a password &
| 2nd password field for yubikey, same concept. Agree that it
| works nicely
| deehouie wrote:
| I just bought two yubikeys; a month later, I returned both. Here
| is a (major) problem. On a ubuntu box, I installed `libpam-u2f`
| and set it up for one user account. Turns out it breaks all other
| user accounts on this ubuntu box, meaning no other user could log
| in without the key. I contacted their support. No solution.
| nybble41 wrote:
| PAM is pretty flexible. Can't you just edit the configuration
| to only include the pam_u2f.so module for a certain user, or
| for users in a certain group? Or add the nouserok option[1] to
| allow authentication to proceed in the absence of registered
| U2F device?
|
| The former approach would look something like this; the
| "default=1" part skips the next directive (pam_u2f.so) when the
| test fails (i.e. when the user is not in the mandatory_u2f
| group): auth [success=ignore default=1]
| pam_succeed_if.so user ingroup mandatory_u2f auth
| required pam_u2f.so cue
|
| [1] https://developers.yubico.com/pam-u2f/ "nouserok ... Set to
| enable authentication attempts to succeed even if the user
| trying to authenticate is not found inside authfile or if
| authfile is missing/malformed."
| denysvitali wrote:
| I guess you can write your own pam module and use maybe an
| argument (your username) as a parameter. Just talking
| hypothetically: I think it should be possible
| Semaphor wrote:
| I don't have a clue, but just from your description, it sounds
| like a bug in Ubuntu?
| CameronBanga wrote:
| This is a complete aside, but last year I purchased a keychain
| YubiKey 5, that supported USB-C and Lightning.
|
| I attached it to my key ring, and within about 8 weeks, the
| device was destroyed through the general wear and tear of being
| in my pocket. The plastic started chipping at one end of the
| device, and before the long the entire plastic shell shattered
| off completely exposing the board underneath.
|
| Was a pretty big bummer, and kept me with going back to Authy.
| Are there any other hardware key/tokens that are maybe a bit more
| rugged?
| podiki wrote:
| Hmm, maybe that is particular to that model? I've only had
| Yubikeys that are regular USB sized, carry them around on
| keychains all the time dangling from a bag, but haven't had a
| problem in the years I've owned it. Generally they are
| considered pretty durable I thought. (But also wouldn't mine
| hearing recommendations for others for the future.)
| jsty wrote:
| I'd also vouch for the near indestructibility of the normal
| USB-A variety - mine is still humming along despite being
| subjected over several years to no end of mishaps and abuse
| that would've killed any regular USB drive several times over
| lima wrote:
| For SSH, use native U2F/FIDO2 OpenSSH support instead:
|
| https://www.openssh.com/txt/release-8.2
|
| https://cryptsus.com/blog/how-to-configure-openssh-with-yubi...
|
| TOTP with a PAM module is insecure since it's not
| cryptographically tied to the session like public key auth and
| can be phished. The author's suggestion to use it for
| passwordless login is dangerous when applied to SSH sessions!
| lukax wrote:
| TouchID on MacBooks can also be used to authenticate the user in
| terminal, mostly for sudo.
|
| The only annoying thing about it is that "/etc/pam.d/sudo" gets
| overwritten on every macOS system upgrade.
|
| https://apple.stackexchange.com/questions/259093/can-touch-i...
| naturalpb wrote:
| Alternate title: guide to changing your single factor
| authentication from "something you know" to "something you have."
| jasonpeacock wrote:
| "Something you have" is generally an improvement over
| "something you know" for most people's account security.
|
| You have to remember where we are starting from - most people
| are still using the same password across all their accounts.
| 1_player wrote:
| How is that? Everybody living in my house can get my Yubikey
| yet doesn't know my password. If I get robbed, my bank
| account is still (relatively) safe.
| coder543 wrote:
| Playing advocate for the idea:
|
| There are a lot more people far away from you than there
| are close to you. If breaking your security requires
| physical proximity (such as to steal a yubikey), then you
| are much safer just based on this. It's also easier for
| people to blindly steal credentials for millions of people
| online than it is for them to steal millions of physical
| security keys.
|
| Alternatively, passwords are commonly reused across
| websites, so a failure of any of those websites can lead to
| a compromise of all of them, which is not the case with a
| YubiKey. Along that same line of thought, passwords are
| phishable, where YubiKeys are not.
|
| It's also possible that people in your physical proximity
| could shoulder surf your password, install a keylogger
| (which could be a _physical_ keylogger, if you normally use
| a USB keyboard, not just software), or use a strategically
| positioned camera to do some digital shoulder surfing.
| Passwords aren 't immune to trust issues when it comes to
| physical proximity. Ideally, you trust those you are near
| to _some_ extent.
|
| YubiKey also has a fingerprint-protected device coming out
| soon[0]... which would raise the bar for the threat model
| in this discussion some. Using a fingerprint and/or PIN to
| unlock a YubiKey preserves most of the benefits, while
| eliminating most of the concerns that people are
| mentioning. HSMs can choose to self-erase after a certain
| number of failed PIN attempts, so even a short PIN is not
| something that can easily be brute forced without an
| unpatched vulnerability.
|
| If websites would allow you to _only_ use any one of your
| YubiKeys to authenticate (obviously meaning you can have
| multiple, with backup YubiKeys stored somewhere safe in
| case you lose your main one), I think that would be a
| significant improvement in security over password
| authentication for most people. This is basically what the
| WebAuthn standard is attempting to do. I don 't expect most
| people to be interested in buying 3 security keys and
| carrying one around all the time, though.
|
| [0]: https://www.yubico.com/blog/yubico-reveals-first-
| biometric-y...
| naturalpb wrote:
| Most people won't purchase and use a Yubikey either though.
| Really just depends on your threat model, if remote attacks
| or local attacks are of higher risk. An obvious improvement
| would be the use of both a password and physical security
| token.
| nly wrote:
| I think you mean from "something you can forget" to "something
| you can lose"
| dheera wrote:
| This is why "something you have" should be ALWAYS replaced by
| "one of a few things you have" where you report/deactivate
| any lost things.
| ncphil wrote:
| Tried this long ago when we got our first Yubico U2F keys. Cool,
| but ultimately unwise if not paired with a password or a decent-
| length pin because without that second factor you're back to a
| single point of (security) failure. Also, as pointed out by
| @deehouie, at present the pam changes required will complicate
| things where a machine is shared by multiple users (unless, of
| course, you just leave the key plugged in all the time: at which
| point... well, you know).
| xaduha wrote:
| If you have nothing better to do:
|
| 1. Get a smart ring like OMNI
|
| 2. Shove a USB hub and a contactless reader into your mouse, so
| if on the next poll your hand with a ring isn't on it - lock it
| all
|
| Seriously though, if someone would start selling mice with
| contactless readers built-in, I'd buy a few.
| philsnow wrote:
| > Note: For passwordless logins the user will need to press the
| Enter with their Yubikey plugged in to unlock their screen.
|
| You can use the "yubikey personalization tool" to change the
| format of the yubico otp that it emits, including appending a
| enter key. This is the way you'd want it set up for that, with
| the "tab"s unselected and the "enter" selected:
| https://cdn.zappy.app/791c95f1c203ef39fb71ea2809aa82a6.png
| BrandoElFollito wrote:
| Making a decision on what to use for authentication should rely
| on a risk assessment. Of course normal people will not do it, but
| at least what we provide them should meet their needs.
|
| 99.7% of people will get their password stolen because they use
| only one on each service. It will get stolen on some shady site,
| and then checked against the same email on gmail.com.
|
| The remaining 0.3% of the users will have their laptop stolen,
| together with the key. The thief will the re-image the laptop to
| sell it and throw the key away.
|
| Finally, 1723 geeks in the world need to make sure they use 8 FA
| so they will be fine.
|
| There are also enterprise users (35.8%) who will get something
| from their company which marry a PIN to an OTP and they will be
| fine.
|
| In other words: yay yubikey! instead of password.
|
| Note: the percentages not only are invented but do not add up to
| 100%. The first one is probably very, very underestimated.
| anonisko wrote:
| Cool. Now where's the guide to embed NFC enabled yubikeys in your
| hand?
| lrossi wrote:
| According to some, you can get one with your covid vaccine :)
| marianov wrote:
| Any way to do it with an older type of USB token? Like Safenet
| eTokens?
| qbasic_forever wrote:
| The auto lock on device removal with udev rule would be the
| same idea, in fact you could use any USB device like a basic
| flash drive if you wanted. Changing PAM's login to use the
| device for login would require a bit more device-specific stuff
| --I'd search around to see if Safenet already provides a module
| to drive PAM auth.
| logix wrote:
| This pam_usb fork can be used to set up any USB for
| authentication: https://www.linuxuprising.com/2021/02/how-to-
| login-with-usb-...
| marianov wrote:
| This are PKI tokens, like smartcards. I would like
| something tied to a certificate and private key on the
| device. That would be unforgeable
| encryptluks2 wrote:
| I feel like these devices generally give the illusion of security
| while really giving an adversary a single device to target. As
| another user had suggested, using udev rules and some device
| encryption would likely be a much better option... if not as an
| alternative, at least in conjunction with something like this.
| fsflover wrote:
| > giving an adversary a single device to target
|
| Technically, yes, but how do you target it? This is impossible
| to extract the private key from it.
| baseballdork wrote:
| By stealing the device.
| johntran wrote:
| It's most likely easier to brute force a password than to
| break into someone's house. Would be easier to demand all
| credentials by gunpoint with that much effort.
| baseballdork wrote:
| That's a fair point, but that's not the only attack
| vector. I carry my token around on my keys which makes it
| vulnerable to being pick pocketed or just left behind
| somewhere. I think the original point was that you're
| just shifting your single authentication factor, not
| necessarily making it more secure. My key is only used
| for 2FA so even if someone were to get access to it,
| they'd have to know my password as well to get use out of
| it.
| fsflover wrote:
| It does not scale.
| ketralnis wrote:
| It doesn't have to scale. If you're the target, they only
| have to target you.
| centimeter wrote:
| The overwhelming majority of hacks are dragnet, not
| targeted.
___________________________________________________________________
(page generated 2021-02-17 21:01 UTC)