Yubikey
Yubikey
I’ve been reading a lot of cyber-thriller novels recently,
particularly the ones that involve security, malware, and cyber
warfare. Even though the books I’ve read are fictional in nature, it
does escape the mind that some of the storylines in these books
actually exists and is already happening today. And if not, with the
speed of technological advancement today, it’s only going to be a
matter of time until we find these advancements misused by malicious
hackers/actors, state-sponsored cyber warfare divisions, or even the
technologically-advanced drug and online gambling cartel (ala Victor
Bandeira’s Nosso Lugar in Rogue Code).
With these possibilities in mind, and looking forward in what could
possibly lie ahead, I figured I’ll get smart and get Yubico’s
Yubikey NEO. It’s not a security panacea by
all means, but I don’t think it’s just security theatre either. I think
these security keys add value not just in securing my personal online
assets, but also in securing any digital assets at work.
I won’t highlight its features in this post as Yubico’s website above covers pretty
much all there is to know about the Yubikey NEO. But I’ll point what
I’m using it for below:
- PGP/GnuPG, as well as an SSH keystore.
- OTP/TOTP.
- As a security key for sites like Google and Fastmail.
- Static password store.
There are also other features that I might be able to take advantage
of but it’s not urgent for me at the moment. Those four are the major
ones, and the ones that I’ve implemented/executed thus far.
Keystore
As a PGP/GnuPG and SSH keystore, I’ve followed this excellent article.
In fact, that will take you a long way in maximising your Yubikey
especially if you use GPG and SSH in your day-to-day tasks (I do as a developer).
OTP
I’ve also replaced Google Authenticator
with the Yubico Authenticator.
The main difference is that Yubico’s authenticator, with the help of
the Yubikey, generates the OTP on the key itself, rather than on your
mobile phone. If there’s a malware on your phone targeting Google’s
Authenticator, for example, there’s a possibility that the tokens
generated by Google Authenticator may have been tampered with.
Security Key
This only works in Google Chrome at the moment, but another great
feature is the ability to plug-in the key to my USB port, tap the key, and get
authenticated by sites like GMail and Fastmail. This helps with the
non-repudiation of authorized access to these sites.
Static password
Lastly, the Yubikey also supports and can store a static password for
up to 38 characters long. I haven’t used this feature myself but I can
think of use-cases such as machine logins, and password manager logins
with the help on a very long static password. Simply tap the key for
three (3) seconds or longer and it will paste the key in the in-focus
input field in your laptop or desktop computer.
Final thoughts
In conclusion, the Yubikey does add value to securing your digital
assets online, whether they be your email, bank, shopping site, having
a yubikey as an extra line of defense against an increasingly
dangerous web is truly worth the time and effort I’ve put into it.