Security Key for 2-Factor Authentication

[Shaun @ Tru6]

I just learned about these from Wirecutter which is the NYTimes version of Consumer Reports. From the article:

"Losing control of an online account to a digital intruder is a nightmare scenario. Multi-factor authentication (or MFA) is the best way to safeguard an account, because once MFA is enabled, an attacker won’t be able to access it—even if they have your username and password. A physical security key is the most secure MFA option, since it’s a dedicated authentication device and resistant to phishing. The Yubico Security Key C NFC is the best choice: It’s affordable and will work with just about every site that supports security keys. If you’re already familiar with security keys and need or want more-advanced features, the Yubico YubiKey 5C NFC is a more expensive yet worthwhile choice."

Yubico - YubiKey 5C NFC - Two-Factor authentication (2FA) Security Key, Connect via USB-C or NFC, FIDO Certified - Protect Your Online Accounts




A different but similar topic, I have been getting bombarded with 855 calls for 2 weeks, over 5 a day. I have been turning them off while calling.

iPhone will block unique numbers but I don't think it will block all 855 numbers. Anyone if it can?

[Paul_Heery]

I've been using Yubikeys for a couple of years now. I have two of them that I keep in different locations, because you always need a backup.

Occasionally I will get notifications that someone has requested a password reset on one of my accounts via a "forgot password" link on a login page. It's nice to know that they couldn't get any further after clicking on that link.

[Paul T]

Interesting, thanks! Ordering 2 right now….always looking for ways to make things more secure. I always use 2FA when available but wasn’t familiar with these keys….

[id10t]

The issue with a hardware key is that you are tied to that piece of hardware. Also, whatever device you are logging in from has to have support for it (drivers), etc.

When we went to MFA for our O365 login controlled stuff I opted for the number-synch app (MS Authenticator) on my phone, because it is based on an Open standard and I can implement it in code myself should I choose to do so.. When you set this up, you generate a list of 10 number codes that will each work only once, these are saved on paper offline and used for emergency password reset, authing if the phone is lost, etc.

Of course, the day they try to make me use some 3rd party MFA app for authentication to my SSH sessions I'll have to change their grades for my course they took (yes, my boss and most of my coworkers have been my students) and remind them that SSH keys are MFA by nature (something you have, something you know)

[masraum]

The missus just sent me this article.
It talks about the Google version.
https://www.theverge.com/2023/11/15/23962443/google-titan-security-key-passwordless-login

[masraum]

Quote:

Originally Posted by id10t

The issue with a hardware key is that you are tied to that piece of hardware. Also, whatever device you are logging in from has to have support for it (drivers), etc.

When we went to MFA for our O365 login controlled stuff I opted for the number-synch app (MS Authenticator) on my phone, because it is based on an Open standard and I can implement it in code myself should I choose to do so.. When you set this up, you generate a list of 10 number codes that will each work only once, these are saved on paper offline and used for emergency password reset, authing if the phone is lost, etc.

Of course, the day they try to make me use some 3rd party MFA app for authentication to my SSH sessions I'll have to change their grades for my course they took (yes, my boss and most of my coworkers have been my students) and remind them that SSH keys are MFA by nature (something you have, something you know)

We use RSA at work. We used to use hardware fobs, but they have migrated most of us to software on cell our cell phones.

Don't even get me started on the process to login to a jumphost for network SSH or worse yet, server access. It's gotten ridiculous, but hey, it's a BIG bank and a BIG target for everyone. We spend a ton of time and money on cybersecurity.

[stealthn]

I have 4 Authenticator apps on my phone lol. We sell and support Cisco’s DUO and I have to say it’s a must for anything online.

[rockfan4]

Quote:

Originally Posted by id10t

Of course, the day they try to make me use some 3rd party MFA app for authentication to my SSH sessions I'll have to change their grades for my course they took (yes, my boss and most of my coworkers have been my students) and remind them that SSH keys are MFA by nature (something you have, something you know)

The company I work for went to Okta, and they do have a MFA SSH client - ScaleFT.
It is not good.
We're also looking at moving from Duo to Okta's MFA. I'm sure that will also be a quality piece of software.

We used to use physical fobs from RSA, they got very expensive, which is why we went to Duo on your phone. A couple cloud based systems we use will use MS Authenticator.

[masraum]

Quote:

Originally Posted by stealthn

I have 4 Authenticator apps on my phone lol. We sell and support Cisco’s DUO and I have to say it’s a must for anything online.

anything online that supports the Auth apps, though, right? It's not like every site supports it.

[Paul_Heery]

I still prefer the use of a physical verification key of which I control.

Any of these authentication apps require online connectivity which presents an attack vector that is constantly being probed and tested. When one of those get compromised, all hell will break loose. And, it's not if, it's when.

And, reliance on SSH? Really? There are 25 Common Vulnerabilities and Exposures (CVE) for SSH listed by the National Cybersecurity FFRDC. A few of which are active, unresolved and have existing public exploits.

I'll stick with a physical key.