MSJ is continuously reviewing security standards, tools, and best practices. This research identifies trends and recommendations for our clients. Recent investigations identified physical encryption keys as a critical component in the future of network security. To prepare our clients for encryption keys, I started evaluating a popular option, YubiKey, in a long-term test.
Intro To Hardware Keys
Before providing our observations, I want to give a quick overview of the products.
The development of hardware security keys began as a response to the growing issue of phishing attacks. The hardware keys are passive devices that use public-key cryptography to verify that the user of a service has access. The Fido Alliance defines the cryptography scheme in a set of open standards. You can see the FIDO2 standard definition online at https://fidoalliance.org/fido2/.
Why Hardware Keys
As phishing and account takeover attempts increased, Google performed a two-year study on options to protect its employees and assets. The research concluded that security keys were the appropriate solution as they were easy to implement, secure, and user-friendly. Google rolled the solution out company-wide [https://www.yubico.com/about/reference-customers/google/].
The solution was so effective at preventing phishing that it eventually became mandatory for Google's Advanced Protection Program.
YubiKey, Google's partner, was the ideal solution for MSJ with its proven track record and dedication to building keys in the US and Sweden.
Selecting the right YubiKey is the first step in moving forward with this experiment. The first item to consider is the number of required keys? The minimum is two keys per user, in case one is lost. We stuck with only two keys for this experiment. The second item is which type of security key best fits our business workflow? The YubiKey 5 series provides all of the features that we require, as FIPS compliance is not a requirement [https://www.yubico.com/products/].
As we do not have iPhone products to support, we went with the 5C units as all phones and MacBooks support USB-C, and we could use a cheap USB-A to USB-C dongle for Windows computers.
Kicking off the journey
This article will skip the well documented technical steps to implement the keys. Instead, I will focus on the overall process.
Our first step was to protect GSuite. We disabled SMS authentication on our accounts and enabled YubiKeys. The setup was easy and has remained fully functional from day one.
Our next step was to protect our password manager of choice, Dashlane. Unfortunately, the Dashlane setup did not go smoothly. Initially, Dashlane would not recognize the keys. After back and forths with Dashlane's support, they determined that there were bugs in the Mac implementation of Dashlane, and a software fix was required. It took Dashlane several attempts to get the feature working on the Mac. While the delay was disappointing, the result was fantastic. Two-factor authentication with Dashlane was now effortless with the security key. There was no more swapping to a phone and then copying a key over. Enter your password, tap the YubiKey, and your passwords are all available.
Protecting computers was our next step. For Mac OS, Yubico provided instructions on how to integrate with the Mac OS authentication system. The install is involved, but well documented by the Yubico team. The documentation notes that the latest release of Mac OS, Catalina, is not yet supported. After following the instructions, the implementation was operational. Login required a password and the YubiKey to work. Unfortunately, the user interface was not clear that it is working, and there are no user prompts that the key is required. Also, Mac OS bypasses the login-key when logging in using the touch sensor, which is acceptable, in my opinion.
Eventually, the Mac OS setup had additional issues and locked me out of my laptop. I was unable to login with either key after many attempts. After a bit of research, it was possible to log into the Mac in recovery mode, edit the authentication file requiring the Yubkiey, and remove the changes. The conclusion here is that Mac OS provides a poor interface for YubiKey, and it is easy to bypass, making the solution pointless.
The Windows setup is different. Yubico provides an installer, which makes the Windows install straightforward. The application adjusts the login screen and provides a clear UI to the user that the key is required. Our experience with Windows is a lot more productive and what I expect from OS protection.
With time, we found other services that support the key and tested them over time. Each web implementation was easy to follow and allowed for multiple keys.
After all of our systems were set up, we continued to test for several months. We never had issues with keys failing, and we found the YubiKey user interface, tapping the key, to be convenient.
The significant change to our life was keeping the key with us at all times. This lifestyle change was easy to implement and has become second nature at this point. At no time did I find myself somewhere without a key when it was needed.
The one use case for me that was problematic was the use of the Windows PC and Mac OS. Previously, we mentioned the dongle to use the USB-C key with our Windows desktop. The dongle was not an issue, but we didn't consider having to swap the key between computers repeatedly. As a strict rule, I keep the backup key locked away as a backup. Moving forward, I will order a third key so I can have one in my Mac and one on my Windows computer when sitting at my desk. This minor inconvenience may not be a common issue for many, but it seems like a simple solution.
Except for Mac OS, our experience with YubiKeys has been fantastic. At this point, I cannot recommend Yubikeys to protect a Mac, but the experience has been great for all other use cases. We strongly recommend that all businesses implement Yubikeys to help protect their infrastructure, and we will work with our clients to bring their attention to the solution.