undefined | Better HN

0 pointshangonhn5y ago0 comments

I had to switch back from Yubikey to TOTP because AWS' CLI tools doesn't work with U2F. This really annoys me.

0 comments

At risk of telling you something you already know: you can use the TOTP mode on the Yubikey, if you’re looking to use it for AWS secrets despite AWS’s lack of support for U2F for CLI workflows.

That at least keeps more of your MFA key material on the hardware token and off of your phone / other shared devices.

The easiest way to do that is via the ykman CLI or Yubico Authenticator application (TOTP secrets stored on the key via either method go to the same place, so you can use both interfaces to access the same codes):

https://support.yubico.com/hc/en-us/articles/360016614940-Yu...

https://www.yubico.com/products/services-software/download/y...

uep5y ago

I've been meaning to buy a Yubikey. What is the best practice for using a security key? Is there a mechanism for backing my keys up somewhere safe so that a loss of key doesn't mean a loss of my accounts?

bostik5y ago

The main idea with a security token is that you can not get the keys out of them.[ß]

So for a truly secure and reliable setup, get three. Enroll them all as parallel 2FA tokens. Keep one with you, one in a relatively easily accessible but non-obvious place, and one in a safe or bank deposit box. That way when the one you have with you breaks or you lose it, promote the secondary to your primary and order a new one to replace the promoted one.

The third is your emergency backup, for when both normally needed keys are destroyed or lost.

Now of course, this only works when the accounts you want to secure allow to enroll more than one FIDO2 token. Which is, sadly, not the most common setup still. For instance AWS only allows to enroll one 2FA token per account.

ß: Some functionality modes allow to extract private keys by design.

3 more replies

lrem5y ago

Buy 3 keys, keep one with yourself, one at home and one in a distant relative's basement. Preferably the latter two in fireproof safes.

Fnoord5y ago

Buy 2. Put one in offsite location (e.g. your notary). I don't have a notary; I got one always in my pocket, and the other one at home in a safe (pickable though). YMMV.

1 more reply

vladvasiliu5y ago

You may want to look into AWS Single Sign-On. In may not be available in the region you're mostly using but that's not necessarily an issue [0].

The service itself is free but requires an identity provider. If you already have a compatible one, you can use it at no additional cost. Otherwise, you'll have to pay for the IdP.

This setup allows you to offload MFA handling to your main IdP with the added bonus of using the same method of authentication, possibly integrated into your OS (for example if using Windows Hello / AzureAD).

At work, we use Azure AD as the IdP for AWS SSO and it works fairly well, aside from Azure's crappy (inexistent) support of security keys outside of Windows.

There is one gotcha with an easy workaround: the SDKs don't usually support the login part of the SSO flow, and sometimes don't support it at all (terraform comes to mind). To work around this, I'm aware of two tools you can use:

* aws-vault [1], which I personally use and works great for setting the required environment variables, no need to actually have it handle any sort of key

* aws-sso-util [2], which I've seen recommended but never tried

---

[0] It may be an issue if you need to use the managed ActiveDirectory service, which needs to be in the same region

[1] https://github.com/99designs/aws-vault

[2] https://github.com/benkehoe/aws-sso-util

remus5y ago

AWS' support for security keys is crap in general. For example, you can only have a single key per account so it's impossible to have a backup key in case you lose your primary key.

rafaelturk5y ago

Hum... I'm the processo to add Yubikey or any U2F to my AWS account, can you share any advice, feedback? Risks, etc?

j / k navigate · click thread line to collapse