Yubikey - anyone use one?

I’ve been asked by one of my clients to start doing 2FA with a Yubikey on my laptop.

I think it’s overkill for the work I do for them, but I get that strong 2FA is coming in now and will soon be the norm.

So, probably time to embrace it across all devices!

Anyone have experience setting it up and using it on Linux/Android/Windows? The website is not exactly the best, so any good resources?

Currently looking at how to get back into my main Linux box and my Windows laptop if the key breaks, as that would be very bad…

Found this for Linux

The whole point is that you can’t, right? Any way that allows you to get around a broken key, is also a way that allows a bad guy to break into your account without key.

If such a way exists, then it’s a security vulnerability, and I would expect the vendor to eventually fix this.

The key here is to have a backup. Ideally a second yubikey that is registered with your account as backup, and kept in a physically separate location (don’t want to be locked out in case of fire, etc).

Yep, I use Yubikeys - they’re very nice.

I’ve got a Yubikey 4C which sits in my macbook 24/7, it’s so small that it’s barely noticable:

I store my SSH key on it, gpg key, and use it for logging into services which support it (google, github, facebook, etc etc)

2 Likes

I have set it up with a MacBook and Windows Laptop before. I think with a MacBook it was enter a pin number for the key rather than a password, and with Windows it was have the key inserted and enter your normal password. If you didn’t have the key, then it wouldn’t work. There was a way to get it to work so that you didn’t need the key if you booted into safe mode, although that would just be a security risk imo.

For Linux devices, I only really used it to store a SSH Key, in which case your backup is a different SSH Key stored in a secure manor.

Really simple to use, and it doesn’t really add any complexity from the end user perspective in my opinion.

1 Like

Like most things it depends. 2FA is normally set up per account not specific to the computer, so (assuming you build the computer correctly) you could still access the OS but not any data files held by the user.

@Gaoler what kind of windows laptop? Some of them support windows hello which along side bitlocker should be appropriate enough. Otherwise there are a number of methods for 2FA with the Yubikey on windows depending on setup and requirements.

I assume they also want windows encrypted?

1 Like

They’re apparently happy with having their files in an encrypted container/partition, though they’re a bit unclear. “The disk on which you are processing the files must be encrypted”. That sounds like I’m fine as long as I set all my working directories for the client to an encrypted space.

I’m not really sure they’ve thought through the requirements, which isn’t making things easier.

Just a standard Windows 10 consumer laptop. I don’t use it much, but it’s invaluable in an emergency.

It’s slowly dawning on me that this will probably need a system rebuild anyway, which is kind of annoying.

With window you should be ok, you can enable bitlocker at any time this will encrypt everything. The one caveat being you need the right version of Windows 10 (windows 10 pro).

I don’t use one