Multi-factor authentication (MFA) is generally available these days with popular services e.g. Facebook, Google, Amazon, etc. Even more traditional industries, such as banks, are also doing, slowly, the same. A good mention here for my previous employer, a credit union, that has implemented multi-factor authentication around 2019.
The most common implementation for MFA is probably with a one-time password (OTP) received by SMS. Someone would log in with a username (identity), a password (first factor), and an OTP received by SMS on a phone (second factor). However, there are many discussions about the security of SMS and the public switched telephone network (PSTN). At one point, many people thought the NIST would not even recommend the SMS as an out-of-band authentication with the revision of the NIST Special Publication 800-63B in 2017. The implementation is instead restricted with some recommendations (see 126.96.36.199). That could definitely change in the future. There is also the situation where some methods to deliver an SMS would not confirm the possession of a physical device. For example, if a VoIP service delivers the SMS, it could be from anywhere, and it doesn’t confirm something that someone would have in his possession.
There are actually three different types: something you know, something you have, and something you are. Something you know could be a password or a PIN, something you have could be a physical token or a phone, and something you are could be fingerprints or facial recognition.
The YubiKey from Yubico is a small, but still a powerful device. I got the YubiKey 5 NFC last year which is a USB key and is also NFC enabled. With that device, it’s finally possible to have a physical device to implement strong multi-factor authentication. It’s like in movies when someone needs to log in or activate something really important and that person needs a unique special key to complete his task. So, yes, my YubiKey is mostly always with me. Someone actually needs to have the physical key when configured with services to proceed with the authentication. The multi-factor would often occur with a password, the first factor that someone knows, and the key, the second factor that someone has.
There are many supported technologies with YubiKey such as OTP, FIDO U2F, FIDO2, OpenPGP, PIV, and OATH. It’s required to use the YubiKey Manager to configure the YubiKey options. Here are 3 examples:
The One-Time Password (OTP) option actually allows 4 different types: Yubico OTP, Challenge-response, Static password, and OATH-HOTP. I mostly use this option for a static password that I use when MFA is not available for certain services. For example, if a sensitive website doesn’t implement MFA, my password will be a combination of this static password with a password specific for that website. With that implementation, someone would need to know the static password and the specific password for the website to proceed with the authentication. However, the static password is, well, static. It doesn’t change as a true one-time password valid only once for a specific time period. But, better than nothing. At least, there are two components needed for authentication. One part is, theoretically, only on the YubiKey, and the specific password in a vault.
FIDO2 / FIDO U2F
FIDO2, previously FIDO Universal 2nd Factor (U2F), is truly magical. The technology behind FIDO2 is the Client-to-Authenticator Protocol (CTAP) from the FIDO Alliance and the Web Authentication (WebAuthn) specification from the World Wide Web Consortium (W3C). I got the YubiKey mainly for this feature. Someone would not be able to authenticate without the key connected to the computer. For example, I use the FIDO U2F option with my AWS account. After the first step, where I have to provide a user name and a password, AWS will ask me to connect the YubiKey and press the button on the key. During that process, simply put, there is a challenge-response with a private key on the YubiKey and many security validations. The configuration is as simple as to connect the key when requested by the service. Unfortunately, there are still not enough websites with that implementation.
OATH-TOTP is for the Initiative for Open Authentication (OATH) and Time-based One-time Password (TOTP). This option was actually a nice surprise. It’s the same principle as with the popular Google Authenticator. But, someone would need the Yubico Authenticator installed on a computer or mobile to use this option. The Yubico Authenticator definitely looks like the Google Authenticator. The process is also similar. The application needs to scan a QR code provided by a website server. A new TOTP is then generated every X seconds. The website server exchange a shared secret with the authenticator and this one generate TOTP according to the current time and shared secrets. However, with the YubiKey, shared secrets are actually stored on the key but limited to only 32 OATH credentials. This limit could definitely be higher. The only way to use the Yubico Authenticator is to have the YubiKey connected to the computer to retrieve shared secrets stored there. It is possible to retrieve TOTP with NFC connection which is useful on mobile. This adds a different security layer. For example, if a malicious person knows the mobile PIN, the key is still required.
Speaking of NFC, it’s possible to enable only specific protocols. For now, I only enabled NFC to work with OATH. I’m still a little bit uncomfortable with the other options…