FIDO? U2F? What do these mean? Should I go fetch a Yubikey?
September 13, 2017 7:19 AM Subscribe
Is there a concise layperson's guide (i.e. for Dummies) of the advantages and limitations of using a U2F/FIDO/Yubikeys, distills all the jargon (FIDO, U2F) out there, and can recommend which one to use (if any)?
To maintain my security and after reading about the insecurity of SMS/text messages for two-factor authentication, and hearing about USB dongles/hardware devices like yubikeys that uses FIDO/U2F, I'm thinking of using these instead for two-factor authentication. Besides finding this yubikey comparison, I'm still unclear on what type of yubikey (or is Yubikey just a brand?) or FIDO/U2F key to use.
Is this technology mature, stable enough to outweigh the risks of using two factor by SMS? I'm pretty computer savvy (use ubuntu as my desktop) but I'm still leery that these keys are not yet supported in lastpass or firefox yet (or is it lastpass or firefox's fault and should I be using something like a two-factor app like google authenticator instead or just hold out until they support them?
Special snowflake details:
I currently use a cocktail of lastpass, firefox, android, office365, ubuntu, and windows.
To maintain my security and after reading about the insecurity of SMS/text messages for two-factor authentication, and hearing about USB dongles/hardware devices like yubikeys that uses FIDO/U2F, I'm thinking of using these instead for two-factor authentication. Besides finding this yubikey comparison, I'm still unclear on what type of yubikey (or is Yubikey just a brand?) or FIDO/U2F key to use.
Is this technology mature, stable enough to outweigh the risks of using two factor by SMS? I'm pretty computer savvy (use ubuntu as my desktop) but I'm still leery that these keys are not yet supported in lastpass or firefox yet (or is it lastpass or firefox's fault and should I be using something like a two-factor app like google authenticator instead or just hold out until they support them?
Special snowflake details:
I currently use a cocktail of lastpass, firefox, android, office365, ubuntu, and windows.
You can see a list of services that support One-Time Passwords (like Google Authenticator offers) and U2F (Yubikey and others). You can get a sense if you use enough of these services to make it worthwhile for you.
Yubikey is a brand, U2F (Universal 2nd Factor) is the technology. Other companies make U2F keys.
Different keys can do different things, as you can see in your comparison. I have the most basic U2F security key — all it can do is work with U2F applications. It doesn't store passwords or do One-Time Passwords or anything like that. I use mine for Google services, GitHub and Dropbox.
posted by brentajones at 8:15 AM on September 13, 2017
Yubikey is a brand, U2F (Universal 2nd Factor) is the technology. Other companies make U2F keys.
Different keys can do different things, as you can see in your comparison. I have the most basic U2F security key — all it can do is work with U2F applications. It doesn't store passwords or do One-Time Passwords or anything like that. I use mine for Google services, GitHub and Dropbox.
posted by brentajones at 8:15 AM on September 13, 2017
I have a Yubikey nano on my main laptop that I use with Lastpass and my email provider. It works fine with the Lastpass addon in Firefox on Debian. I also have a neo I keep with my keys so I can log in elsewhere, mostly an Ubuntu box. It's a lovely, stable solution for increasing security, and is especially easy with just one touch. I use my phone for 2FA for logging into google services, which I find very annoying by comparison. I did have to make a plan for losing the yubikey, which is basically to buy an extra key, set it up, and then put it in a very safe place. The setup work can be a little involved, but I think it's worth the time to beef up your security arrangements.
Bonus: you can also make yubikeys enter static passwords if you do an extra long touch, which makes it possible to use with a super-secure login password.
posted by Juso No Thankyou at 8:50 AM on September 13, 2017
Bonus: you can also make yubikeys enter static passwords if you do an extra long touch, which makes it possible to use with a super-secure login password.
posted by Juso No Thankyou at 8:50 AM on September 13, 2017
I use my phone for 2FA for logging into google services, which I find very annoying by comparison.
Why? I use a similar setup to yours (Dashlane instead of Lastpass, and some other tweaks) but most of all I use my Yubikey Neo for Google 2FA. I use my phone only as a backup. The Yubikey works fine for Google and you've already got one so... Why not?
OP: Yes, Yubikey is a brand, but it's the brand you want for most services that can use a key.
posted by The Bellman at 2:04 PM on September 13, 2017
Why? I use a similar setup to yours (Dashlane instead of Lastpass, and some other tweaks) but most of all I use my Yubikey Neo for Google 2FA. I use my phone only as a backup. The Yubikey works fine for Google and you've already got one so... Why not?
OP: Yes, Yubikey is a brand, but it's the brand you want for most services that can use a key.
posted by The Bellman at 2:04 PM on September 13, 2017
This thread is closed to new comments.
https://inteltechniques.com/podcast.html
I am still working through everything to set it up well.
Hope this is a good start for you!
posted by jwt0001 at 7:57 AM on September 13, 2017