Is a separate USB key meaningfully more secure?
The user experience is also better with U2F than previous 2FA systems. When GitHub prompts you for U2F, you press the yubikey and are instantly logged in. No typing random numbers with n seconds, no fake keyboard.
YMMV of course, but if you've tried U2F, it feels incredibly slick.
For computers you frequently use, you can get multiple keys and leave them in the port (Yubico makes a small one that stays in the port and only sticks out enough for you to be able to touch it, but it's a bit pricey).
Passwords are weak vs. many types of hacks, U2F is strong. And vice-versa (easy to steal the Yubi-key + computer, but they still need the password).
Most of the USB keys are in a form factor that fits well on an existing key ring. If you are like most people, you presumably also already have a pile of keys connected to a key ring on you at all times.
You don't have to unlock your phone device and launch the appropriate app, you just need to plug into an open USB slot on the machine you are using.
The downside is that it takes a USB port, which is one of the reasons I hated this years MacBook so much.
UPDATE: I found the exact model I have on Amazon
http://www.amazon.com/Yubico-Y-110-YubiKey-NEO-n/dp/B00O8ST7...
A fully isolated component like a Yubikey has a smaller attack surface area for these kinds of things (easier to audit smaller code, no sustained Internet or cellular connectivity).
[1]https://www.duosecurity.com/blog/understanding-your-exposure...
1) sign in with github at: https://www.yubico.com/github-special-offer/
2) buy now: https://www.yubico.com/github-special-offer/github-yubikey-s...
3) checkout: https://www.yubico.com/checkout/
Once you complete one step successfully you should be able to skip to the next. Good luck vs. the 504's!
Scheduled? Yeah right.
Original Post: Looks like the $5 keys are sold out, my cart shows $36
Personally I hate being {attached to|associated with|being required to carry} a particular piece of hardware; I much prefer that information freely flows with me as I move between the various devices I interact with over the course of a day.
There are many times I don't carry my phone around with me or do not wish to, simply because I have a terminal that loads my personalized environment everywhere I go. Information flows with me, not hardware.
2FA with a physical component is generally the best way to achieve the goal of "information flows with me". With a password only, you can more aptly describe the situation as "information flows with anyone who knows my password".
A physical component has a lot of issues:
* It can be stolen or robbed at gunpoint. Torture, drugging, and hypnosis aside, your mind is much more secure.
* It can run out of batteries.
* It's one more thing you can lose. It's already annoying enough to have to remember to carry 7 or 8 things every day, including a phone, bike light, smart watch, tablet, battery pack, reusable utensils, and so on. I don't want to have to add more things to this list.
* It can be damaged by the elements.
* It can be difficult to give access to others who you want to give access to.
* It may have security holes of its own, both in hardware and in software.
* When damaged or robbed, the user is highly inconvenienced, to the point that they are unable to access their own money/accounts/etc. How do get food, water, and get home from the middle of nowhere after your wallet and phone have been taken from your person? With password-only methods, you could theoretically find a nearby public terminal, log in with a simple username and password, and get an ride/call a friend/file a report/do whatever you need to do.
* If it relies on cellular service, it may not work internationally if the user changes SIM cards or devices. For many that live near border towns and cross borders every day for work, this becomes a massive inconvenience.
> I never understood the point of
2-factor authentication
Information flow protocols and hardware should be abstracted and separated in the same way that we generally separate church and state in most modern nations. Otherwise, the innovation of either is going to be pulled behind by the other.
1. Go to https://www.yubico.com/github-special-offer/
2. Add the special edition security key to cart
3. Apply the "GITHUB" coupon
4. Check out
Once you get it, don't forget to also use it with Dropbox and Google, which both predate GitHub in the U2F support. If you know any other provider, comment below, please!
> We are experiencing difficulties and the GitHub Special Offer is temporarily unavailable. We are working hard to fix the issue and appreciate your understanding.
> Keep an eye on Twitter (@yubico) for updates on when we will have the GitHub Special Offer available again.
Thanks for the tip.
Browser support is currently limited to Chrome, and possible Windows Edge*
For now it only works with USB. Bluetooth and NFC specs are out, browser support is the bottleneck
The protocol is public/private key based, with the private key strongly encouraged to be in tamper resistant/evident storage.
The protocol is authentication method agnostic. It doesn't care if you use a USB key, a retinal scan, a pin or divination.
You could write a software only authenticator if you wanted, but servers could detect that (and reject it if they chose to) through the attestation certificate you provided. You can't pretend to be a brand X authenticator, because only company X will have the private key(s) matching the attestation certs to sign (batches) of model X authenticator.
Yubikeys are just one implementation of a U2F authenticator. In theory GitHub now works with any present/future authenticators that talks U2F (modulo browser support) e.g. an iPhone+TouchID+NokNok SDK, a Pebble watch+app, an Android Phone+$your_app, an NFC implant, m-of-n wearables
* Microsoft announced something U2F related for Windows 10, I never got to the bottom of what exactly
For more detail I did a talk at EuroPython this year https://moreati.github.io/passwordspain/#/ https://www.youtube.com/watch?v=YSTsgldazSU
With a smartcard that can hold an key pair, one can both authenticate (sign) and encrypt messages, using a same single key (or multiple keys if wish for multiple identities). With U2F all one can is authenticate, using a distinct securely-stored PSK for each remote party.
A single hobbyist maintains an open-source tool that allows applets to be loaded on to GlobalPlatform-compliant cards. It's pretty fragile and requires some trickery and tribal knowledge. You have to hope some forum somwhere has the unlock key to allow applet loading on whatever card you bought. Another single hobbyist maintains a PKCS#11-compatible card applet, PKIApplet. It requires a relatively modern JavaCard version and compatible JavaCards are not always available for individual purchase in the U.S. If you're prepared to really get down and dirty with DIY trickery, you might manage to load PKIApplet onto a JavaCard with GlobalPlatformPro.
Actually using it requires OpenSC, not a shining example of usability or code quality. It requires specific drivers for different cards, each having slightly different personalization procedures. Many of the drivers in it are for cards that can no longer be purchased. PKIApplet appears to have a driver in OpenSC but I haven't gotten an opportunity to test it yet. Much of the tooling you'll find references to in documentation turns out to have expired domains and abandoned SourceForge projects last updated 2002.
The OpenPGP route appears to be a little less sad than the PKCS#11 route, since at least Yubikey maintains a modern OpenPGPApplet.
If your Fortune 100 company's CTO wants to play golf with Gemalto, smart cards are for you. Otherwise, probably not. It makes sense that a modern personal 2FA solution would want to be free of all that legacy.
I've edited this for quite long time and finally figured out what I really had in my mind. I'm not disappointed it's a new standard or anything like this. I'm disappointed by the fact that this stuff isn't extensible and nothing new can be build upon this.
Not in a sense that no new software can be added to a token, but when you use U2F you just have a means to prove you know some PSK. And that's it. Would the token hold a keypair and use digital signatures instead, it could bring much more possibilities in the long run. Like sending encrypted emails to the token owners, or building a global identity system where identities are something user possesses, not leases from the "identity providers".
However, when I go into Github to turn it on (in chrome using U2F devices I have already used with Google) it says "This device cannot be registered." Even when I remove the device it says that. I'm disappointed that the feature is not working.
https://help.github.com/articles/about-two-factor-authentica...
Notice: load_plugin_textdomain was called with an argument that is deprecated since version 2.7 with no alternative available. in /nas/wp/www/cluster-50027/yubico2/wp-includes/functions.php on line 3510
Notice: Use of undefined constant WOOCOMMERCE_VERSION - assumed 'WOOCOMMERCE_VERSION' in /nas/wp/www/cluster-50027/yubico2/wp-content/plugins/woocommerce-wootax/woocommerce-wootax.php on line 552
Fatal error: Class 'WC_Payment_Gateway' not found in /nas/wp/www/cluster-50027/yubico2/wp-content/plugins/yubico-payment/yubico-payment.php on line 16It was cheaper but is more fragile, worked well to test it out.
Now when U2F is getting more support, I think I will buy a Yubikey with U2F.
This is not specific to the MBP as a colleague's ThinkPad had the same problem.