What is the Yubikey

The Yubikey [1] is a small device, connected through USB or Lightning, that can provide a number of useful security-related operations. This is something I’ve used for awhile now, but only recently been using it for far more than in the past. Some benefits of the Yubikey include:

1. Ability to assign a pin over your password (PIV), for dealing with your computer.
2. The ability to store GPG keys onto the device (useful for signing, encrypting, and so on)
3. Used as an OTP (dual factor) authentication option for websites.

I’ll talk about each of these below, the motivation for why I use it, and how it can benefit you.

Before I describe the features of the Yubikey, one core concept is worth going over and that’s a fundamental when it comes to authorization when it comes to a computer, application, or the like. Human authentication relies on one of three different methods to identify the person is, who they say they are: [2]

1. “Something you know” - Most commonly a password
2. “Something you have” - Hardware authentication
3. “Something you are” - Fingerprint/face/etc

Most authentication solely relies on the first of these options, but increasingly common is 2-factor authentication. What this means is the ability to have 2 of the 3 options above. This concept is crucial to understanding how the Yubikey can help you.

Ability to assign a pin over a password (PIV)

“Personal Identity Verification” (PIV) [3], is a hardware authentication mechanism that helps with verifying identity when logging into a system. This feature is supported on all major operating systems.

The Yubikey can act as a PIV. From the authentication guides in the introduction, this is a combination of:

1. Something you have - The Yubikey itself.
2. Something you know - The pin to allow authentication against the Yubikey

In my opinion, this is better than the Biometric options (Hello ID, Fingerprint, etc). The reason for this is because Biometric options, solely, rely on a single form authentication (Something you are). While this is better than a password (due to key loggers, side channel attacks - to a degree, and the like), it’s still one form. Furthermore, exploits were found on Biometric authentication where people could unlock the device [4] [5]

The Yubikey supports pin codes of varying lengths (you get to choose), and the pin does get locked out if you attempt, and fail, too many times. For both the standard key, and the admin key, it’s 3 times each. So, 6 guesses total and the device is locked out and requires a reformat (which wipes everything off) [6]. It’s considerably more secure, in my opinion.

My motivation for using a Yubikey for this, besides what’s listed above, is to protect against Keyloggers. When my machine boots up, I enter in a very long password. That gets me into the system. From then on out, all my authentication to administrative functions is done with the Yubikey inserted. Remove the Yubi key allows for password reentry, which I won’t use as policy (only on fresh reboot).

Ability to store GPG keys onto the device.

GPG stands for “GNU Privacy Guard”[7], and is an implementation, and expansion to PGP (Pretty Good Privacy), and is used for a number of tasks:

1. Signing Emails - In a world where emails are spoofed, accounts being taken over, and the like - it’s nice to be able to verify the sender of the email is who they say they are.
2. Authentication Into Systems - GPG keys can be used to authenticate into remote servers using SSH/SFTP/etc.
3. Encryption and Decryption - The ability to encrypt files either for one’s own purpose, or to accept encrypted files from others which you can decrypt with your key.

I honestly wish more people used GPG than do currently. It’s a greatly way to verify a person, and to exchange files. Furthermore, it can be used to encrypt information before it goes into the cloud. Because you own the key, and if generated properly, can be more assured that others won’t get into your files. Largely speaking, people will never receive an email from me that isn’t signed. I make my public key accessible to everyone [8]. GPG is largely secure, if setup and verified properly - but local security may not be fully secure.

That’s where Yubikey comes into play. The Yubikey can store your GPG private keys (up to a limit). For me, personally, I store my master’s public key (non-expiring) on the key, plus 3 subkeys. The 3 subkeys are my signing (emails, git), encrypting (files/folders/loopback), and authentication (ssh/sftp/scp) keys. These are private subkeys and they expire every year. On each machine where my Yubikey is used at, my public keys for these are trusted as ‘ultimate’. The private keys cannot be read from the Yubikey. This protects your private keys.

Proper generation of GPG keys is incredibly important. I won’t go into too many details here, but there’s a good guide [9] that goes over it in great detail. The very very high level summary of this is:

1. Generate your GPG keys offline, on a dedicated OS/host. USB Keychain booting an OS is a good way to do this. Keep it off your primary workstation.
2. Keep your master private key as secure as possible. A LUKS-encrypted drive with an incredibly strong password would be a good option. Do not share this key with anyone.
3. On the YubiKey, the private keys that exist on it are only the expiring subkeys, which can be revoked through commands with your Master private key if anything gets stolen.
4. Your private key(master, or subkeys) should not exist on any workstation, including the one that generates said key. Only your public keys, trusted as “ultimate”.
5. The Yubikey pin (user/admin) are under the same restrictions as the PIV (but different pins). 3 times each, and the device will need to be reset.

I definitely recommend checking out the guide [9] for more setup instructions. I’ll likely write more about this in the future.

My motivation in using the Yubikey is pretty much the above. My non-expiring private key is tightly protected, and something I never want to regenerate (unless we can provide greater than 4096bit in the future). Given where it’s at now, it’d be too insecure/annoying to attach/use for signing - so the subkeys exist. But, I also want to protect the private keys for those. Plus, I use multiple machines, the Yubikey just needs to be inserted and as long as gpg is setup, the rest largely works without too much effort.

Used as OTP

OTP stands for “One Time Password” [10], and is used as a secondary authentication mechanism on a different device to help verify a user (Meets the conditions of “What you know”, and “What you have”).

Cell phones are largely closed source, and have security concerns. These concerns aren’t far from what I listed in the PIV section, but also bad is that the visibility we as consumers have in the devices is far less than what we have in normal operating systems. Even in closed source systems, you can determine what’s running, if a firewall is enabled, if viruses are being scanned, and malware being mitigated. Cell phones don’t offer that same level of transparency. Also, given it’s always connected to the internet, and so many own a cell phone, makes them great targets for hackers. It’s a lot of trust into companies that give us little/no visibility into the underlying system.

Yet, dual factor is still a very useful feature when logging into services. The Yubikey has a few OTP options that provide an alternative to the use of a cell phone/authenticator:

1. Yubico OTP [11] can be used with some websites. This feature allows you to, instead of using your phone for dual factor auth, to touch your Yubikey to log into a web service after a password is provided.
2. OATH [12] can be used much like the programs Microsoft Authenticator, Google Authenticator, and the like. The Yubikey Neo has NFC capabilities where it can be read from the phone, and the other Yubikeys have various inputs that can be inserted into the phone. Furthermore, all of them can be read on the computer - which allows, as long as the Yubikey is inserted, to read the OATH authentication codes from the computer without the aid of a cell phone.
3. Another useful feature is Challenge-response [13], which can be used to add 2-factor auth (in a light way, mind you), to KeypassX databases [14].

My motivation for using this is simply lack of trust with the phone. I don’t want to always have to have my phone with me (and often times don’t), and instead rely on the Yubikey. The NFC version of the Yubikey also has the ability to be scanned by the cell phone, if needed, which would display the codes on your phone if you don’t have your computer with you. Furthermore, the Yubikey has Lightning, USB-A, USB-C, and combinations of them if you’d rather plug it into your phone.

Conclusion

The above is a very, very high level of the Yubikey and only scratches the surface for what you can do with it. This is how I use it. Over time, I’m planning on creating more in-depth articles that talk about setup and security concerns surrounding a lot of the concepts listed above.

References/Sources

• 1: https://www.yubico.com/
• 2: https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
• 3: https://piv.idmanagement.gov/elements/
• 4: https://www.forbes.com/sites/daveywinder/2019/11/02/smartphone-security-alert-as-hackers-claim-any-fingerprint-lock-broken-in-20-minutes/
• 5: https://www.techtimes.com/articles/244958/20190810/someone-finally-hacks-face-id-but-should-you-be-worried.htm
• 6: https://developers.yubico.com/yubikey-piv-manager/PIN_and_Management_Key.html
• 7: https://gnupg.org
• 8: https://thedarktrumpet.com/dthole.gpg.md
• 9: https://github.com/drduh/YubiKey-Guide
• 10: https://en.wikipedia.org/wiki/One-time_password
• 11: https://developers.yubico.com/OTP/OTPs_Explained.html
• 12: https://developers.yubico.com/OATH/
• 13: https://www.yubico.com/products/services-software/personalization-tools/challenge-response/
• 14: https://keepassxc.org/docs/ - Search for “YubiKey”, about 2/3rd down the page.