Yubico

Yubico Security Key NFC

February 23, 2022 by Simon

fyi: My Past YubiKey Reviews

Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App

Yubico YubiKey 5Ci with USB-C and Lightning connector for mobile devices

Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software

Security Key Series

Introducing the Security Key NFC by Yubico simplified tap and go security key that works on Windows 10 (I tested on Windows 11), iOS and Android devices.

Yubico Security Key NFC USB-A and USB-C Variants — USB-A and USB-C Variants

Looking at the Yubico Compare Products Page I can see the Security Key series is half the price of the Standard YubiKey 5/YubiKey 5 FIPS and YubiKey BIO keys.

The Yubico Security Key NFC does have some missing features like

Yubico OTP
OATH – HOTP (Event)
OATH – TOTP (Time)
OpenPGP
Yubico Authenticator OTP Storage
No Computer Login (Windows, Mac or Linux)
- Windows
etc

I like the USB-C format over USB-A as my desktop, Mac and phone all have USB-C plugs.

YubiKey Plugged into a UBS-C Port — YubiKey Security Key USB-C Plugged into a MacBook Pro

My growing YubiKey Collection.

A) YubiKey 4 NEO
B) YubiKey 5Ci
C) YubiKey Security Key C NFC
D) YubiKey Security Key NFC

Seting up the Security Keys

YubiKey do have a setup guide here Let’s get started with your YubiKey (yubico.com)

YubiCo’s wizard allows you to select what services to setup and they provide a video or text based setup guide.

I also set a Key pin with the YubiKey Manager software

Heavy Use (Time To Replace)

My YubiKey 4 NEO (left) has been inserted into my USB A port about 1/2 a million times

YubiKey 4 NEO (left), YubiKey Security Key NFC (right)

Where to Use the New Key

I will use the key wherever I can insert and tap the key. I have immediately added these keys to th efollowiung apps and sites

2FA Directory is a great site for browing what site(s) by category listing is they support 2FA or not.

Social Category

I have linked the new keys ot my critical sites

I now have a few keys added to critical site and I can put my keys in multiple safe places for backup.

Site A

Site B

Site C

Job done

Security Key Cons

No OATH – TOTP (6 digit code based Two Factor Authentication) like on more expensive keys
Setting a password with the YubiKey Manager is a bit hidden

Security Key Pros

Low Price
Simple Tap to Sign in (when setup)

Yubico 5C NFC USB-C Hardware Two Factor Security Key etc

October 8, 2020 by Simon

I have been using Yubico YubiKeys since 2018. I have blogged a bit about them before:

At first, I used my YubiKeys to secure Mac OSX, websites I used then services like 1Password, Dropbox, Twitter. Google Mail, Github, WordPress. Now I have over 80 websites and servers protected with my YubiKeys.

I also used my YubiKeys to secure servers I setup (protecting Command-line SSH Sessions).

Security Basics

Before I begin showing the YubiKey 5C NFC device I would like to explain a bit about…

a) Strong Passwords, Not Reusing Passwords
b) Hacked Websites and Data Breaches

(Apologies for click-baiting and not showing the YubiKey 5C NFC right away but I love Security)

a) Secure Passwords, Not Reusing Passwords

Hackers trying to obtain your login and password could use Brute Force Attacks, Dictionary Attacks and other ways to try and break into your accounts.

If you have not heard of or used http://howsecureismypassword.net/ head over there now and enter your password (or enter a part of your password if you do not trust them).

Enter your password into howsecureismypassword.net

I entered an old password I used a lot in 1990’s and https://howsecureismypassword.net/ said it a computer will take 1 day to guess/generate my password.

https://howsecureismypassword.net/ 1 day to guess my password

I entered a more complex password generated in my password manager (1Passwsord) and now it will take 68 quattuorvigintillion years for a computer to guess/generate my password.

68 quattuorvigintillion years to gues my password

That sounds good but it is not, computers are getting faster and websites can still be hacked directly (bypassing complex passwords). When a website is hacked data is sold far and wide in minutes. Anyone who obtains or buys hacked usernames and passwords will try and use those credentials on as many sites as possible.

TIP: Do not use the same password across different websites, if one site is hacked an attackers will know your password on other sites. Even if the hacked website used encryption to hash your password before storing it hackers can use Rainbow Tables to know the real password to speed up obtaining your password.

b) Hacked websites and Data Breaches

How do you know what sites have been hacked?

Enter https://haveibeenpwned.com/

Go to https://haveibeenpwned.com/ and enter your emails address and click “Pwned?” to see if your email has been obtained in past known data breaches. You can also check your password too.

https://haveibeenpwned.com/ at (great expense and complexity) indexes hacked data (called pastes) from known website breaches in as little as 40 seconds of the information appearing online. Hacked data from websites are published online to validate the hacker’s valuable data (in order to sell it) or to show a hackers achievement.

https://haveibeenpwned.com/ is a safe site run by https://www.troyhunt.com/ and is an industry-standard for sharing information about hacked websites in order to protect exposed in those hacks.

I entered my email address into https://haveibeenpwned.com/

Enter you email address into https://haveibeenpwned.com/

My email address has been found in multiple hacks

A full list of hacked websites with my email and password is displayed.

When sites I was using were hackled only 1% of the sites bothered to notify me. You could have been hacked in the past and you may not be aware of it.

Subscribing to be notified when your emails(s) are seen in pasted in highly recommended (and it’s free).

fyi: Awesome Security Now Podcats

If you want to stay up to date with online security and the never-ending race for security check out the free Security Now Podcast that has been running from 2005 to 2020. Steve and Leo do a great job ant breaking down very very very complex security topics for non-tech geeks every week.

Password Manager + YubiKey

You are still reading, good. I know this is bad news but you need to know this stuff.

So I hear you say how can I generate (different passwords per site) and store those passwords securely? This sounds like a plug (it’s not) but I use 1Password password manager.

1Password is an awesome password manager I use to generate and store secure passwords and best of all it only costs $2.99 USD a month (or $39.47 AUD paid annually). Here is a 3-year-old post of mine showing an older version of 1Password. I like 1Password because it’s super secure, integrates with YubiKeys and https://haveibeenpwned.com/ and works well on Windows, MacOS, iOS and Android.

1Password integrates with HaveIBeenPwned and 1Password 🙂

@1Password just keeps getting better and better. Ping: @troyhunt pic.twitter.com/qTtE6XyoXb
— Grant Harrington (@harringg) May 22, 2018

1Password is the right price for me and for the features it provides.

1Password allows you to generate strong passwords.

fyi: Here is a list of all password managers (some free) at Wikipedia.

Of you can use https://www.grc.com/passwords.htm to generate really strong passwords manually.

Why Use YubiKeys

If you use a really simple password, reuse a password (I know you do) or you know a site will be hacked one day a YubiKey can be a physical thing you have that a hacker does not have.

Think of the YubiKey as a physical password that hackers cannot steal.

Well, you can be mugged and your YubiKey could be stolen but will they have your email and password that is needed with the key to log in to a site?

My YubiKey’s

YubiKey 4 NEO (Left)
YubiKey 5Ci (Middle)
YubiKey 5C NFC (Right)

My YubiKey 4 NEO (on the right) has been used about 5,000 times and it is still going strong.

YubiKey 5Ci (for Mobile)

If you need a YubiKey with a Lighting and USB C plug (without NFC) check out this review.

Yubico YubiKey 5Ci with USB-C and Lightning connector for mobile devices

Why use NFC?

Why is NFC so good? The USB Standard only allows for 10,000 inserts and removals before the pins wear out. The Wireless nature of NFC has no impact on lifespan.

YubiKey 5C NFC

On the left, you can see my YubiKey 5C NFC compared to the YubiKey 5Ci (in the centre) and the YubiKey 4 NEO (on the right).

YubiCo YubiKey 5C NFC Welcome Video

The YubiKey 5C NFC has a USB C plug and NFC. For me, this is the perfect key.

The YubiKey has a selection of covers that (for all keys) that you can stick onto the keys to stylize them and tell the difference between when you have multiple keys.

I went with a Polka Rainbow Cover

My cover application was not a perfect application by me but it’s Wabi-Sabi enough for me.

YubiKey Authenticator

When you use a YubiKey on a site that supports them you will either be prompted to Insert and Tap they key after the traditional login process

Or enter a 6 digit code that is randomly generated in the Authenticator App (and valid for 30 seconds). To obtain this code you will need to install the YubiCo Authenticator for Windows, MacOS or Mobile (iOS or Android)

Download the Free Authenticator App here: https://www.yubico.com/products/services-software/download/yubico-authenticator/

Inserting or Tapping the key will display the linked sites and 6 digit codes.

YubiKey OTP Diagram — Image credit: https://developers.yubico.com/yubioath-desktop/

I have many websites OTP’s stored in my Keys 🙂

How to use the YubiCo Authenticator App Video on the YubiCo YouTube channel

How to find sites that use 2FA/MFA

Head on over to https://twofactorauth.org/.

https://twofactorauth.org/ allows you to find sites that use (or do not use) 2FA.

For example, you can search for (e.g “play”) and see if the matching sites have 2FA enabled to protect logins.

My Google Play, PlayStation and Ubisoft UPlay accounts are protected with 2FA.

You can also view categories and see what websites and services are up to date. This can be handy if you are looking for a product or service. Go with the most secure provider.

Common Site 2FA Instruction Pages

Here is a list of common social media sites and their instruction pages for enabling 2FA

Buffer: https://blog.bufferapp.com/introducing-the-safest-social-media-publishing-on-the-web
Dropbox: https://help.dropbox.com/security/enable-two-step-verification
Facebook: https://www.facebook.com/help/148233965247823
GMail: https://www.google.com/intl/en-US/landing/2step/features.html
Google Drive: https://www.google.com/intl/en-US/landing/2step/features.html
Linked In: https://www.linkedin.com/help/linkedin/answer/544
One Drive: https://support.microsoft.com/en-us/help/12408/
Pinterest: https://help.pinterest.com/en/articles/two-factor-authentication
Reddit: https://www.reddithelp.com/hc/en-us/articles/360043470031
Snapchat: https://support.snapchat.com/en-US/article/enable-login-verification
Skype: https://support.microsoft.com/en-us/help/12408/
Tumblr: https://www.tumblr.com/docs/en/two_factor_auth
Twitter: https://support.twitter.com/articles/20170388
Yahoo Mail: https://help.yahoo.com/kb/SLN5013.html
WhatsApp: https://www.whatsapp.com/faq/en/general/26000021
WordPress: https://en.support.wordpress.com/security/two-step-authentication/
Zoom: https://support.zoom.us/hc/en-us/articles/360038247071

Using the Yubico 5C NFC on a Computer with no USB C Plug?

My Windows 10 PC has a USB C Plus but its on the rear of my PC.

It is a pain plugging my key into the USB C plug at the back of my PC so I ordered a $5 USB 3 to USB C adapter so I can plug this into the front of my PC

I have an 8 way USB 3 (externally powered) USB Hub under my monitor to easily connect my many dongles and USB devices into.

The YubiKey 5C NFC sits high in the adapter but it allows me to use it easily on my PC when needed and more importantly I can use the USB C plug on my phone without an adapter.

USB (standard Plug, Lightning or USB C YubiKey have you covered.

https://www.yubico.com/store/

Risks of Hardware 2FA

If you damage or lose a YubiKey you could be locked out of a website or service. When possible I use multiple YubiKeys so you have a backup device to login with.

I can add multiple YubiKeys to Dropbox

Sites will also provide a list of recovery codes you can use in case you lose your YubiKey’s. Save these codes in a safe place (you will only be given them once)

1Password is great for storing backup codes.

Purchasing a Yubikey 5C NFC

You can buy YubiKey’s from…

Trust Panda: https://www.trustpanda.com.au/products/yubikey-5c-nfc
Mi-Token: https://shop.mi-token.com/#!/public-catalogue
YubiCo Direct :https://www.yubico.com/store/
M. Tech: https://mtechpro.com/product/yubico/
Sektor: https://www.sektor.com.au/Product/MSYK335
Sektor (NZ): https://www.sektor.co.nz/cybersecurity
YubiKey Resellers: https://www.yubico.com/support/shipping-and-buying-information/resellers/

Conclusion

My new YubiKey 5C NFC is sitting proudly in my YubiKey collection. I use One key for work, one key for Home (PC Use) and one key for Mobile use.

YubiKey 5C NFC Pros

NFC (I use this a lot on mobile and at work on NFC printers for authentication)
No batteries required
Durable
Multiple usage modes (6 digit codes or insert and press)
Works well on my Android Phone with USB-C Plug
Physical security to back up my online credentials

YubiKey 5C NFC Cons

You need to opt-in on sites to use it (not really a con)
You need a PC with USB C plug to easily access the YubiKey 5C NFC.

The YubiKey 5C NFC comes at a time when “Human Malware” related phishing attacks continue to surge. I have thousands of hack attempts on my website and email daily so I know I need to stay a step ahead of hackers.

I know companies who were hacked, could not care less if my username and password were breached.

YubiCo YubiKeys allow me to feel safer online

Yubico YubiKey 5Ci with USB-C and Lightning connector for mobile devices

July 27, 2020 by Simon

I am a big fan of the Yubico YubiKeys. I have a couple of YubiKey 4 NEO NFC devices. This post will show the Yubico YubiKey 5Ci

Here are my older posts on the YubiKey 4 NEO’s

My YubiKey NEO’s have been set up on sites with ether “Insert and Press” (FIDO U2F) or Insert and copy 6 digit OTP code’s (that is valid for 30 seconds).

When a site requires an OTP code I can insert the key and run the YubiKey Authenticator software on iOS, Android, Mac or Windows (and enter an optional password) where I can see all my defined website OTP’s

I have enabled YubiKey “Insert and Press” and or time-based OAUTH-HOTP protections to as many logins as I can (PayPal, GMail, Google GSuite, DropBox, My Servers (SSH), WordPress, Forums etc).

I use the NFC on the YubiKey NEO to login to my NFC printer at work.

OTP or TOTP and FIDO U2F or Insert and Press

I am not going to not bore you to death with technical details here and I will refer to TOTP as OTP and FIDO U2F (FIDO Universal 2nd Factor) as “Insert and Press”.

Insert and Press is easier to explain than FIDO Universal 2nd Factor.

You can read about each here:

Time-based One-time Password algorithm (TOPT): https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm
U2F – FIDO Universal 2nd Factor authentication (Insert and Press): https://www.yubico.com/authentication-standards/fido-u2f/

Find sites that use 2FA

https://twofactorauth.org/ allows you to find sites that use (or do not use) 2FA.

You can search for a site (e.g “play”) and see if the matching sites have 2FA enabled to protect logins.

My Google Play, PlayStation and Ubisoft UPlay accounts are protected with 2FA.

You can also view categories and see what websites and services are up to date. This can be handy if you are looking for a product or service (choose the most secure IMHO).

I would recommend you contact website’s that use that does not support 2FA and tell them. If they drag their feet supporting 2FA, I’d leave them.

My NFC Issue

I recently purchased a Flip Wallet/Phone Case with a magnetic back (so I can remove the phone from the wallet), but the magnets cause issue reading NFC on various devices including the YubiKey.

My phone has a poor NFC range at best and my YubiKey NEO cannot be read with my new phone case on. I’ll admit I don’t use NFC anymore on my phone.

Enter the YubiKey 5Ci (with USB-C and Lightning adapter)

Yubico has a YubiKey 5Ci that has a USB-C and Lightning connector for phones and tablets. My phone has a USB C connector and this would work well instead of NFC.

You can buy a YubiKey 5Ci direct here for $70 USD.

YubiKey also make 5CI with transparent plastic

If you are Down Under like me you can order from here https://shop.mi-token.com/#!/public-catalogue and pay in AUD.

YubiKey 5Ci Specifications

USB Type
USB-C, Lightning

NFC-enabled
No

Authentication Methods
Passwordless, Strong Two Factor, Strong Multi-Factor

Productivity & Communication
Google Account, Microsoft account, Salesforce.com | Emerging support for Lightning connector

Password Managers
1Password, Dashlane Premium, Keeper®, LastPass Premium | Emerging support for Lightning connector

Cloud Storage
Dropbox, Google Drive, OneDrive | Emerging support for Lightning connector

Social
Facebook, Twitter, YouTube | Emerging support for Lightning connector

Design & Durability
No Batteries Required, No Moving Parts

Function
WebAuthn, FIDO2 CTAP1, FIDO2 CTAP2, Universal 2nd Factor (U2F), Smart card (PIV-compatible), Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), Open PGP, Secure Static Password

Certifications
FIDO 2 Certified, FIDO Universal 2nd Factor (U2F) Certified

Cryptographic Specifications
RSA 2048, RSA 4096 (PGP), ECC p256, ECC p384

Device Type
FIDO HID Device, CCID Smart Card, HID Keyboard

Manufacturing
Made in USA and Sweden

My YubiKey 5Ci

My YubiKey 5Ci arrived in a small but strong package. Wow this is small.

The back of the 5Ci packaging has clear instructions.

I removed the YubiKey 5Ci from the packaging.

A lightning plug is on the left and a USB-C plug on the right. In the middle is a contact to allow activation.

YubiKey 5Ci, Lightning plug on one end and a USB-C plug on the other end

The YubiKey 5Ci is tiny. It is about 4c long with a hole in the middle to allow me to place it on a key chain.

It is about as wide as 2.5 keyboard keys

I do not use iPhone’s or iPad’s but my wife and child do so the lightning plug may come in handy.

The USB plug however will be using on my Android phone and will replace my NFC on My YubiKey 4 NEO when I transfer connected websites over.

I can see two metal contact points on each side of the YubiKey 5Ci that I can press and activate when in Insert and Press mode

Insert and Press or Enter OTP Code

What is the difference between 5Ci and Insert and Press when logging into sites?

Google will prompt me to insert my YubiKey and press the bottom to log in.

My Nextcloud install will prompt for a OTP code (to obtain this I need to Insert my YubiKey and obtain the OTP code)

WordPress requires my YubiKey’s to be presented at login

I set up my cloud serves to prompt me for a OTP when I log in via SSH. I use MobaXTerm to connect to my servers.

I need to enter an OTP twice as two connections to the server are created (one for the shell and one for the directory listing)

YubiKey 4 NEO v YubiKey 5Ci

Here is a picture comparing my YubiKey NEO and the 5Ci

The 5Ci is thinner and shorter than the NEO

YubiKey Neo 4 NFC and a YubiKey 5Ci

My YubiKey 4 NEO has been used a few thousand times, but it wont plug into my Mobile Phone.

YubiKey 5Ci (USB C) plugged into an Android Phone

I can easily plug the YubiKey 5Ci can plug into my Android Phone (USB C Plug)

My YubiKey Authenticator automatically opens after I insert my YubiKey.

I can access OTP codes in seconds.

Android 10 asked me if the app Yubico Authenticator can access the USB device.

The Yubico Authenticator can be downloaded for Android here

Open YubiKey Authenticator on YubiKey Insert

YubiKey 5Ci (Thunderbolt) plugged into an Apple iPhone

When I insert the YubiKey 5Ci into my wife’s iPhone I can use the key on the iOS version of the authenticator app (download here)

I am prompted to enter the password I have set on the key (nice)

YubiKey 5Ci (USB C) plugged into a PC

I have a USB C port on the back of my PC

Some PC’s have USB C on the front of the PC.

USB to USB Adapter

I purchased an inexpensive USB C to USB adapter to allow me to insert the USB C plug of the YubiKey to the front of my PC

Now I can use the YubiKey 5Ci anywhere.

YubiKey 5Ci Conclusion

I love YubiKeys and 2FA of any kind and I have a key chain with my YubiKey 4 NEO (the backup key stay’s somewhere else) and my 5Ci.

I also carry 2x USB backups (encrypted) and a Tile tracking token.

Pros

Works flawlessly with OTP (HOTP)
Works flawlessly with Insert and Touch (FIDO U2F)
Works well on iOS, Android, Windows, Mac and Linux.

Cons

Black shows dust very well, It would be nice to have them in more colours?

Adding hardware-based 2FA is a long journey but a journey that I don’t regret taking one big. Have a look at https://haveibeenpwned.com/ if you are unsure if this should be your journey. Also, check out the weekly Security Now Podcast for all the news on weekly hacks and security vulnerabilities.

Use the Yubico Quiz to find out what YubiKey us best for you.

https://www.yubico.com/quiz/

Troubleshooting

N/A

v1.0 Initial Version

Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App

October 28, 2018 by Simon

Here is a quick guide to show you how to add two-factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA authenticator app

I have a number of guides on moving away from CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line.

Why Secure WordPress

WordPress CMS is a widely targeted CMS for hackers. View the official WordPress stats on WordPress Version/PHP and MySQL Version. View WordPress vulnerabilities here.

Read the Sucuri 2017 report on reported WordPress Hacks here (spoiler 34,371 infected websites in 2017).

Plugins exist to secure and scan WordPress. Read my blog post here on the now-retired Gravityaity Scan plugin and the awesome WordFence security plugin.

You (and hackers) can scan your site with https://wpscans.com/ or other open-source tools like wp-scan from OWASP ZAP. If you manage a WordPress site I’d recommend you install Kali Linux to scan your site.

Running a wp scan in Kali Linux is easy.

wpscan --url https://fearby.com --debug-output 2> ~/Desktop/wpscan.txt

The output from the Kali Linux wpscan tool

What are Hardware YubiCo YubiKeys

Read my guide here to see what YubiCo YubiKeys are and how to use them.

Get the Two-Factor Plugin for WordPress Plugin

Plugin: https://en-au.wordpress.org/plugins/two-factor/

Two-Factor

Plugin Page at WordPress.org

The source code for this plugin is available (nice): https://github.com/georgestephanis/two-factor. This plugin was updated 2 weeks ago (nice).

Downloading the Plugin

FYI: I do not allow downloading or updating of plugins in WordPress (via FTP), I prefer SSH manual downloading. FTP plugin installation and updating are not allowed on my site.

I got the latest download URL (e.g. https://downloads.wordpress.org/plugin/two-factor.zip) by copying the URL from the download button above.

I connected to my server via SSH and navigated to my WordPress plugin folder

cd /your-www-root/wp-content/plugins

I download the plugin.

[email protected]:/your-www-root/wp-content/plugins# wget https://downloads.wordpress.org/plugin/two-factor.zip
--2018-10-28 14:44:27--  https://downloads.wordpress.org/plugin/two-factor.zip
Resolving downloads.wordpress.org (downloads.wordpress.org)... 198.143.164.250
Connecting to downloads.wordpress.org (downloads.wordpress.org)|198.143.164.250|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 47882 (47K) [application/octet-stream]
Saving to: 'two-factor.zip'

two-factor.zip                             100%[=======================================================================================>]  46.76K  --.-KB/s    in 0.001s

2018-10-28 14:44:27 (37.1 MB/s) - 'two-factor.zip' saved [47882/47882]

I extracted the plugin zip file

[email protected]:/your-www-root/wp-content/plugins# unzip two-factor.zip
Archive:  two-factor.zip
   creating: two-factor/
   creating: two-factor/assets/
  inflating: two-factor/assets/banner-1544x500.png
  inflating: two-factor/assets/banner-772x250.png
  inflating: two-factor/assets/icon-128x128.png
  inflating: two-factor/assets/icon-256x256.png
  inflating: two-factor/class.two-factor-core.php
   creating: two-factor/includes/
  inflating: two-factor/includes/function.login-header.php
   creating: two-factor/includes/Google/
  inflating: two-factor/includes/Google/u2f-api.js
   creating: two-factor/includes/Yubico/
  inflating: two-factor/includes/Yubico/U2F.php
   creating: two-factor/providers/
  inflating: two-factor/providers/class.two-factor-backup-codes.php
  inflating: two-factor/providers/class.two-factor-dummy.php
  inflating: two-factor/providers/class.two-factor-email.php
  inflating: two-factor/providers/class.two-factor-fido-u2f-admin-list-table.php
  inflating: two-factor/providers/class.two-factor-fido-u2f-admin.php
  inflating: two-factor/providers/class.two-factor-fido-u2f.php
  inflating: two-factor/providers/class.two-factor-provider.php
  inflating: two-factor/providers/class.two-factor-totp.php
   creating: two-factor/providers/css/
  inflating: two-factor/providers/css/fido-u2f-admin.css
   creating: two-factor/providers/js/
  inflating: two-factor/providers/js/fido-u2f-admin-inline-edit.js
  inflating: two-factor/providers/js/fido-u2f-admin.js
  inflating: two-factor/providers/js/fido-u2f-login.js
  inflating: two-factor/readme.md
  inflating: two-factor/readme.txt
  inflating: two-factor/two-factor.php
  inflating: two-factor/user-edit.css

Enable the Plugin

Don’t forget to update the plugin in WordPress.

Once the plugin is enabled I can setup Two-factor authentication

Edit your Users

To setup two-factor authentication open your WordPress users screen (/wp-admin/users.php).

Notice the Two-Factor column

Edit your desired user to enable two-factor login options

Scroll down to Two Factor Options header, you will see a QR code that you can scan with your two-factor authentication app (e.g Google Authenticator or YubiCo Authenticator).

Always generate and save backup codes in case you lose your YubiKeys or authenticator app.

You can enable authentication methods as required.

Add the code to your Authenticator app. I will add mine to my Yubico Authenticator app that requires the insertion of a physical YubiKey. I can read my YubiKey via NFC and use my mobile phone to generate one time passwords too. Read here to learn about YubiKey 2FA (touch) devices. I have secured my Ubuntu/Debian and macOSX with these keys,

TIP: Don’t forget to save the user after editing.

Add the YubiKey 2FA (touch) to WordPress logins.

While editing a user click Register New Key under Security Keys

Add your primary and backup YubiKey as required (I added both of mine).

Enable all desired 2FA options

Email (OFF)
Time based One-Time Password (Authenticator App) (ON)
FIDO Universal 2nd Factor (U2F) – YubiKey Insertion and touch (ON)
Backup Codes (ON)

TIP: Don’t forget to save the user after editing.

Users Table

Aim to set up every user who has access to your WordPress to use 2FA.

Mobile 2FA login

I tested logos via mobile and I was prompted to tab my YubiKey to my phone. Nice.

What happens at login?

When One Time Password is enabled as the primary authentication method I am prompted for a one-time password after entering my username and password. I then need to insert my YubiKey (or tap the YubiKey to my phone (via NFC)) to generate a one time password.

When FIDO is enabled I need to insert my YubiKey and press the button.

Conclusion

I can now secure my WordPress site with 2FA protections without expensive security plugins.

I hope this guide helps someone.

More

Setup two factor authenticator protection at login on Ubuntu or Debian

October 14, 2018 by Simon

This is a quick post that shows how I set up two-factor authenticator protection at login on Ubuntu or Debian

Aside

If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.

Buy a domain name here

Now on with the post.

Backup

I ensured I had a backup of my server. This is easy to do on UpCloud. If something goes wrong I will rollback.

Why Setup 2FA on SSH connections

1) Firewalls or whitelists may not protect you from detection.

2) SSH authorisation bypass bugs may appear.

I’ve just relased libssh 0.8.4 and 0.7.6 to address CVE-2018-10933. This is an auth bypass in the server. Please update as soon as possible! https://t.co/Qhra2TXqzm

— Andreas Schneider (@cryptomilk) October 16, 2018

2FA authorisation is another lube of defence.

Yubico Yubi Key

Read my block post here to learn how to use the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software

Timezone

It is important that you set the same timezone as the server you are trying to secure two 2FA. I can run this command on Linux to set the timezone.

On Debian, I set the time using this guide.

dpkg-reconfigure tzdata

Check the time command

> timedatectl
> Local time: Tue 2019-06-25 16:45:20 UTC
> Universal time: Tue 2019-06-25 16:45:20 UTC
> RTC time: Wed 2019-06-26 02:37:44
> Time zone: Etc/UTC (UTC, +0000)
> Network time on: yes
> NTP synchronized: yes
> RTC in local TZ: no

sudo hwclock --show

I set the timezone

> sudo timedatectl set-timezone Australia/Sydney

I confirmed the timezone

> timedatectl
> Local time: Wed 2019-06-26 02:47:42 AEST
> Universal time: Tue 2019-06-25 16:47:42 UTC
> RTC time: Wed 2019-06-26 02:40:06
> Time zone: Australia/Sydney (AEST, +1000)
> Network time on: yes
> NTP synchronized: yes
> RTC in local TZ: no

I installed a npt time server

I followed this guide to install an NTP time server (failed at: ntpdate linuxconfig.ntp) and this guide to manually sync

I installed the Google Authenticator app

sudo apt install libpam-google-authenticator

sudo apt-get install libpam-google-authenticator

Configure Google Authenticator

Run google-authenticator and answer the following questions

Q1) Do you want authentication tokens to be time-based (y/n): Y

You will be presented with a token you can add to the Yubico Authenticator or other authenticator apps,

TIP: Write down any recovery codes displayed

Scan the code with your 2FA Authenticator app (e.g Google Authenticator, Yubico Authenticator or freeOTP from https://freeotp.github.io)

The 2FA code is now available for use in my YubiCo Authenticator app

Q2) Do you want me to update your “/root/.google_authenticator” file? (y/n): Y

Q3) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n): Y

Q4) By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between the authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y: Y

Q5) If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n): Y

Review Google Authenticator Config

sudo nano ~/.google_authenticator

You can change this if need be.

sudo nano ~/.google_authenticator

Edit SSH Configuration (Authentication)

sudo nano /etc/pam.d/sshd

Add the line below the line “@include common-auth”

auth required pam_google_authenticator.so

Comment out the following line (this is the most important step, this forces 2FA)

#@include common-auth

Edit SSH Configuration (Challenge Response Authentication)

Edit the ssh config file.

sudo nano /etc/ssh/sshd_config

Search For

ChallengeResponseAuthentication

Set this to

yes

Ensure the following line exists

UsePAM yes

Add the following line

AuthenticationMethods publickey,password publickey,keyboard-interactive

Edit Common Auth

sudo nano /etc/pam.d/common-auth

Add the following line before the line that says “auth [success=1 default=ignore] pam_unix.so nullok_secure”

auth required pam_google_authenticator.so

Restart the SSH service and test the codes in a new terminal before rebooting.

TIP: Do not exit the working connected session and you may need it to fix issues.

Restart the SSH service a tets it

/etc/init.d/ssh restart
[ ok ] Restarting ssh (via systemctl): ssh.service.

If you have failed to set it up authenticator codes will fail to work.

Failed attempts

Further authentication required
Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Verification code:

When it is configured OK (at login SSH connection) I was prompted for further information

Further Information required
Using keyboard-interactive authentication
Verification Code: ######
[email protected]#

I am now prompted at login to insert a 2FA token (after inserting my YubiKey)

Turn on 2FA on other sites

Check out https://www.turnon2fa.com and tutorials here.

I hope this guide helps someone.

Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

V1.4 June 2019: Works on Debian 9.9

V1.3 turnon2fa.com

V1.2 ssh auth bypass

v1.1 Authenticator apps

v1.0 Initial Post

Yubico

fyi: My Past YubiKey Reviews

Security Key Series

Seting up the Security Keys

Heavy Use (Time To Replace)

Where to Use the New Key

I have linked the new keys ot my critical sites

Security Key Cons

Security Key Pros

Security Basics

a) Secure Passwords, Not Reusing Passwords

b) Hacked websites and Data Breaches

fyi: Awesome Security Now Podcats

Password Manager + YubiKey

Why Use YubiKeys

YubiKey 5Ci (for Mobile)

Why use NFC?

YubiKey 5C NFC

YubiKey Authenticator

How to find sites that use 2FA/MFA

Common Site 2FA Instruction Pages

Using the Yubico 5C NFC on a Computer with no USB C Plug?

Risks of Hardware 2FA

Purchasing a Yubikey 5C NFC

Conclusion

Links

OTP or TOTP and FIDO U2F or Insert and Press

Find sites that use 2FA

My NFC Issue

Enter the YubiKey 5Ci (with USB-C and Lightning adapter)

YubiKey 5Ci Specifications

My YubiKey 5Ci

Insert and Press or Enter OTP Code

YubiKey 4 NEO v YubiKey 5Ci

YubiKey 5Ci (USB C) plugged into an Android Phone

YubiKey 5Ci (Thunderbolt) plugged into an Apple iPhone

YubiKey 5Ci (USB C) plugged into a PC

USB to USB Adapter

YubiKey 5Ci Conclusion

Troubleshooting

Footer

Popular

Security

Code

Tech

Wordpress

General