Yubico

Yubico 5C NFC USB-C Hardware Two Factor Security Key etc

October 8, 2020 by Simon

I have been using Yubico YubiKeys since 2018. I have blogged a bit about them before:

Yubico YubiKey 5Ci with USB-C and Lightning connector for mobile devices
Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
Setup two factor authenticator protection at login on Ubuntu or Debian
Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App

At first, I used my YubiKeys to secure Mac OSX, websites I used then services like 1Password, Dropbox, Twitter. Google Mail, Github, WordPress. Now I have over 80 websites and servers protected with my YubiKeys.

I also used my YubiKeys to secure servers I setup (protecting Command-line SSH Sessions).

Security Basics

Before I begin showing the YubiKey 5C NFC device I would like to explain a bit about…

a) Strong Passwords, Not Reusing Passwords
b) Hacked Websites and Data Breaches

(Apologies for click-baiting and not showing the YubiKey 5C NFC right away but I love Security)

a) Secure Passwords, Not Reusing Passwords

Hackers trying to obtain your login and password could use Brute Force Attacks, Dictionary Attacks and other ways to try and break into your accounts.

If you have not heard of or used http://howsecureismypassword.net/ head over there now and enter your password (or enter a part of your password if you do not trust them).

Enter your password into howsecureismypassword.net

I entered an old password I used a lot in 1990’s and https://howsecureismypassword.net/ said it a computer will take 1 day to guess/generate my password.

https://howsecureismypassword.net/ 1 day to guess my password

I entered a more complex password generated in my password manager (1Passwsord) and now it will take 68 quattuorvigintillion years for a computer to guess/generate my password.

68 quattuorvigintillion years to gues my password

That sounds good but it is not, computers are getting faster and websites can still be hacked directly (bypassing complex passwords). When a website is hacked data is sold far and wide in minutes. Anyone who obtains or buys hacked usernames and passwords will try and use those credentials on as many sites as possible.

TIP: Do not use the same password across different websites, if one site is hacked an attackers will know your password on other sites. Even if the hacked website used encryption to hash your password before storing it hackers can use Rainbow Tables to know the real password to speed up obtaining your password.

b) Hacked websites and Data Breaches

How do you know what sites have been hacked?

Enter https://haveibeenpwned.com/

Go to https://haveibeenpwned.com/ and enter your emails address and click “Pwned?” to see if your email has been obtained in past known data breaches. You can also check your password too.

https://haveibeenpwned.com/ at (great expense and complexity) indexes hacked data (called pastes) from known website breaches in as little as 40 seconds of the information appearing online. Hacked data from websites are published online to validate the hacker’s valuable data (in order to sell it) or to show a hackers achievement.

https://haveibeenpwned.com/ is a safe site run by https://www.troyhunt.com/ and is an industry-standard for sharing information about hacked websites in order to protect exposed in those hacks.

I entered my email address into https://haveibeenpwned.com/

Enter you email address into https://haveibeenpwned.com/

My email address has been found in multiple hacks

A full list of hacked websites with my email and password is displayed.

When sites I was using were hackled only 1% of the sites bothered to notify me. You could have been hacked in the past and you may not be aware of it.

Subscribing to be notified when your emails(s) are seen in pasted in highly recommended (and it’s free).

fyi: Awesome Security Now Podcats

If you want to stay up to date with online security and the never-ending race for security check out the free Security Now Podcast that has been running from 2005 to 2020. Steve and Leo do a great job ant breaking down very very very complex security topics for non-tech geeks every week.

Password Manager + YubiKey

You are still reading, good. I know this is bad news but you need to know this stuff.

So I hear you say how can I generate (different passwords per site) and store those passwords securely? This sounds like a plug (it’s not) but I use 1Password password manager.

1Password is an awesome password manager I use to generate and store secure passwords and best of all it only costs $2.99 USD a month (or $39.47 AUD paid annually). Here is a 3-year-old post of mine showing an older version of 1Password. I like 1Password because it’s super secure, integrates with YubiKeys and https://haveibeenpwned.com/ and works well on Windows, MacOS, iOS and Android.

1Password integrates with HaveIBeenPwned and 1Password 🙂

@1Password just keeps getting better and better. Ping: @troyhunt pic.twitter.com/qTtE6XyoXb
— Grant Harrington (@harringg) May 22, 2018

1Password is the right price for me and for the features it provides.

1Password allows you to generate strong passwords.

fyi: Here is a list of all password managers (some free) at Wikipedia.

Of you can use https://www.grc.com/passwords.htm to generate really strong passwords manually.

Why Use YubiKeys

If you use a really simple password, reuse a password (I know you do) or you know a site will be hacked one day a YubiKey can be a physical thing you have that a hacker does not have.

Think of the YubiKey as a physical password that hackers cannot steal.

Well, you can be mugged and your YubiKey could be stolen but will they have your email and password that is needed with the key to log in to a site?

My YubiKey’s

YubiKey 4 NEO (Left)
YubiKey 5Ci (Middle)
YubiKey 5C NFC (Right)

My YubiKey 4 NEO (on the right) has been used about 5,000 times and it is still going strong.

YubiKey 5Ci (for Mobile)

If you need a YubiKey with a Lighting and USB C plug (without NFC) check out this review.

Yubico YubiKey 5Ci with USB-C and Lightning connector for mobile devices

Why use NFC?

Why is NFC so good? The USB Standard only allows for 10,000 inserts and removals before the pins wear out. The Wireless nature of NFC has no impact on lifespan.

YubiKey 5C NFC

On the left, you can see my YubiKey 5C NFC compared to the YubiKey 5Ci (in the centre) and the YubiKey 4 NEO (on the right).

YubiCo YubiKey 5C NFC Welcome Video

The YubiKey 5C NFC has a USB C plug and NFC. For me, this is the perfect key.

The YubiKey has a selection of covers that (for all keys) that you can stick onto the keys to stylize them and tell the difference between when you have multiple keys.

I went with a Polka Rainbow Cover

My cover application was not a perfect application by me but it’s Wabi-Sabi enough for me.

YubiKey Authenticator

When you use a YubiKey on a site that supports them you will either be prompted to Insert and Tap they key after the traditional login process

Or enter a 6 digit code that is randomly generated in the Authenticator App (and valid for 30 seconds). To obtain this code you will need to install the YubiCo Authenticator for Windows, MacOS or Mobile (iOS or Android)

Download the Free Authenticator App here: https://www.yubico.com/products/services-software/download/yubico-authenticator/

Inserting or Tapping the key will display the linked sites and 6 digit codes.

YubiKey OTP Diagram — Image credit: https://developers.yubico.com/yubioath-desktop/

I have many websites OTP’s stored in my Keys 🙂

How to use the YubiCo Authenticator App Video on the YubiCo YouTube channel

How to find sites that use 2FA/MFA

Head on over to https://twofactorauth.org/.

https://twofactorauth.org/ allows you to find sites that use (or do not use) 2FA.

For example, you can search for (e.g “play”) and see if the matching sites have 2FA enabled to protect logins.

My Google Play, PlayStation and Ubisoft UPlay accounts are protected with 2FA.

You can also view categories and see what websites and services are up to date. This can be handy if you are looking for a product or service. Go with the most secure provider.

Common Site 2FA Instruction Pages

Here is a list of common social media sites and their instruction pages for enabling 2FA

Buffer: https://blog.bufferapp.com/introducing-the-safest-social-media-publishing-on-the-web
Dropbox: https://help.dropbox.com/security/enable-two-step-verification
Facebook: https://www.facebook.com/help/148233965247823
GMail: https://www.google.com/intl/en-US/landing/2step/features.html
Google Drive: https://www.google.com/intl/en-US/landing/2step/features.html
Linked In: https://www.linkedin.com/help/linkedin/answer/544
One Drive: https://support.microsoft.com/en-us/help/12408/
Pinterest: https://help.pinterest.com/en/articles/two-factor-authentication
Reddit: https://www.reddithelp.com/hc/en-us/articles/360043470031
Snapchat: https://support.snapchat.com/en-US/article/enable-login-verification
Skype: https://support.microsoft.com/en-us/help/12408/
Tumblr: https://www.tumblr.com/docs/en/two_factor_auth
Twitter: https://support.twitter.com/articles/20170388
Yahoo Mail: https://help.yahoo.com/kb/SLN5013.html
WhatsApp: https://www.whatsapp.com/faq/en/general/26000021
WordPress: https://en.support.wordpress.com/security/two-step-authentication/
Zoom: https://support.zoom.us/hc/en-us/articles/360038247071

Using the Yubico 5C NFC on a Computer with no USB C Plug?

My Windows 10 PC has a USB C Plus but its on the rear of my PC.

It is a pain plugging my key into the USB C plug at the back of my PC so I ordered a $5 USB 3 to USB C adapter so I can plug this into the front of my PC

I have an 8 way USB 3 (externally powered) USB Hub under my monitor to easily connect my many dongles and USB devices into.

The YubiKey 5C NFC sits high in the adapter but it allows me to use it easily on my PC when needed and more importantly I can use the USB C plug on my phone without an adapter.

USB (standard Plug, Lightning or USB C YubiKey have you covered.

https://www.yubico.com/store/

Risks of Hardware 2FA

If you damage or lose a YubiKey you could be locked out of a website or service. When possible I use multiple YubiKeys so you have a backup device to login with.

I can add multiple YubiKeys to Dropbox

Sites will also provide a list of recovery codes you can use in case you lose your YubiKey’s. Save these codes in a safe place (you will only be given them once)

1Password is great for storing backup codes.

Purchasing a Yubikey 5C NFC

You can buy YubiKey’s from…

Trust Panda: https://www.trustpanda.com.au/products/yubikey-5c-nfc
Mi-Token: https://shop.mi-token.com/#!/public-catalogue
YubiCo Direct :https://www.yubico.com/store/
M. Tech: https://mtechpro.com/product/yubico/
Sektor: https://www.sektor.com.au/Product/MSYK335
Sektor (NZ): https://www.sektor.co.nz/cybersecurity
YubiKey Resellers: https://www.yubico.com/support/shipping-and-buying-information/resellers/

Conclusion

My new YubiKey 5C NFC is sitting proudly in my YubiKey collection. I use One key for work, one key for Home (PC Use) and one key for Mobile use.

YubiKey 5C NFC Pros

NFC (I use this a lot on mobile and at work on NFC printers for authentication)
No batteries required
Durable
Multiple usage modes (6 digit codes or insert and press)
Works well on my Android Phone with USB-C Plug
Physical security to back up my online credentials

YubiKey 5C NFC Cons

You need to opt-in on sites to use it (not really a con)
You need a PC with USB C plug to easily access the YubiKey 5C NFC.

The YubiKey 5C NFC comes at a time when “Human Malware” related phishing attacks continue to surge. I have thousands of hack attempts on my website and email daily so I know I need to stay a step ahead of hackers.

I know companies who were hacked, could not care less if my username and password were breached.

YubiCo YubiKeys allow me to feel safer online

Yubico YubiKey 5Ci with USB-C and Lightning connector for mobile devices

July 27, 2020 by Simon

I am a big fan of the Yubico YubiKeys. I have a couple of YubiKey 4 NEO NFC devices. This post will show the Yubico YubiKey 5Ci

Here are my older posts on the YubiKey 4 NEO’s

My YubiKey NEO’s have been set up on sites with ether “Insert and Press” (FIDO U2F) or Insert and copy 6 digit OTP code’s (that is valid for 30 seconds).

When a site requires an OTP code I can insert the key and run the YubiKey Authenticator software on iOS, Android, Mac or Windows (and enter an optional password) where I can see all my defined website OTP’s

I have enabled YubiKey “Insert and Press” and or time-based OAUTH-HOTP protections to as many logins as I can (PayPal, GMail, Google GSuite, DropBox, My Servers (SSH), WordPress, Forums etc).

I use the NFC on the YubiKey NEO to login to my NFC printer at work.

OTP or TOTP and FIDO U2F or Insert and Press

I am not going to not bore you to death with technical details here and I will refer to TOTP as OTP and FIDO U2F (FIDO Universal 2nd Factor) as “Insert and Press”.

Insert and Press is easier to explain than FIDO Universal 2nd Factor.

You can read about each here:

Time-based One-time Password algorithm (TOPT): https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm
U2F – FIDO Universal 2nd Factor authentication (Insert and Press): https://www.yubico.com/authentication-standards/fido-u2f/

Find sites that use 2FA

https://twofactorauth.org/ allows you to find sites that use (or do not use) 2FA.

You can search for a site (e.g “play”) and see if the matching sites have 2FA enabled to protect logins.

My Google Play, PlayStation and Ubisoft UPlay accounts are protected with 2FA.

You can also view categories and see what websites and services are up to date. This can be handy if you are looking for a product or service (choose the most secure IMHO).

I would recommend you contact website’s that use that does not support 2FA and tell them. If they drag their feet supporting 2FA, I’d leave them.

My NFC Issue

I recently purchased a Flip Wallet/Phone Case with a magnetic back (so I can remove the phone from the wallet), but the magnets cause issue reading NFC on various devices including the YubiKey.

My phone has a poor NFC range at best and my YubiKey NEO cannot be read with my new phone case on. I’ll admit I don’t use NFC anymore on my phone.

Enter the YubiKey 5Ci (with USB-C and Lightning adapter)

Yubico has a YubiKey 5Ci that has a USB-C and Lightning connector for phones and tablets. My phone has a USB C connector and this would work well instead of NFC.

You can buy a YubiKey 5Ci direct here for $70 USD.

YubiKey also make 5CI with transparent plastic

If you are Down Under like me you can order from here https://shop.mi-token.com/#!/public-catalogue and pay in AUD.

YubiKey 5Ci Specifications

USB Type
USB-C, Lightning

NFC-enabled
No

Authentication Methods
Passwordless, Strong Two Factor, Strong Multi-Factor

Productivity & Communication
Google Account, Microsoft account, Salesforce.com | Emerging support for Lightning connector

Password Managers
1Password, Dashlane Premium, Keeper®, LastPass Premium | Emerging support for Lightning connector

Cloud Storage
Dropbox, Google Drive, OneDrive | Emerging support for Lightning connector

Social
Facebook, Twitter, YouTube | Emerging support for Lightning connector

Design & Durability
No Batteries Required, No Moving Parts

Function
WebAuthn, FIDO2 CTAP1, FIDO2 CTAP2, Universal 2nd Factor (U2F), Smart card (PIV-compatible), Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), Open PGP, Secure Static Password

Certifications
FIDO 2 Certified, FIDO Universal 2nd Factor (U2F) Certified

Cryptographic Specifications
RSA 2048, RSA 4096 (PGP), ECC p256, ECC p384

Device Type
FIDO HID Device, CCID Smart Card, HID Keyboard

Manufacturing
Made in USA and Sweden

My YubiKey 5Ci

My YubiKey 5Ci arrived in a small but strong package. Wow this is small.

The back of the 5Ci packaging has clear instructions.

I removed the YubiKey 5Ci from the packaging.

A lightning plug is on the left and a USB-C plug on the right. In the middle is a contact to allow activation.

YubiKey 5Ci, Lightning plug on one end and a USB-C plug on the other end

The YubiKey 5Ci is tiny. It is about 4c long with a hole in the middle to allow me to place it on a key chain.

It is about as wide as 2.5 keyboard keys

I do not use iPhone’s or iPad’s but my wife and child do so the lightning plug may come in handy.

The USB plug however will be using on my Android phone and will replace my NFC on My YubiKey 4 NEO when I transfer connected websites over.

I can see two metal contact points on each side of the YubiKey 5Ci that I can press and activate when in Insert and Press mode

Insert and Press or Enter OTP Code

What is the difference between 5Ci and Insert and Press when logging into sites?

Google will prompt me to insert my YubiKey and press the bottom to log in.

My Nextcloud install will prompt for a OTP code (to obtain this I need to Insert my YubiKey and obtain the OTP code)

WordPress requires my YubiKey’s to be presented at login

I set up my cloud serves to prompt me for a OTP when I log in via SSH. I use MobaXTerm to connect to my servers.

I need to enter an OTP twice as two connections to the server are created (one for the shell and one for the directory listing)

YubiKey 4 NEO v YubiKey 5Ci

Here is a picture comparing my YubiKey NEO and the 5Ci

The 5Ci is thinner and shorter than the NEO

YubiKey Neo 4 NFC and a YubiKey 5Ci

My YubiKey 4 NEO has been used a few thousand times, but it wont plug into my Mobile Phone.

YubiKey 5Ci (USB C) plugged into an Android Phone

I can easily plug the YubiKey 5Ci can plug into my Android Phone (USB C Plug)

My YubiKey Authenticator automatically opens after I insert my YubiKey.

I can access OTP codes in seconds.

Android 10 asked me if the app Yubico Authenticator can access the USB device.

The Yubico Authenticator can be downloaded for Android here

Open YubiKey Authenticator on YubiKey Insert

YubiKey 5Ci (Thunderbolt) plugged into an Apple iPhone

When I insert the YubiKey 5Ci into my wife’s iPhone I can use the key on the iOS version of the authenticator app (download here)

I am prompted to enter the password I have set on the key (nice)

YubiKey 5Ci (USB C) plugged into a PC

I have a USB C port on the back of my PC

Some PC’s have USB C on the front of the PC.

USB to USB Adapter

I purchased an inexpensive USB C to USB adapter to allow me to insert the USB C plug of the YubiKey to the front of my PC

Now I can use the YubiKey 5Ci anywhere.

YubiKey 5Ci Conclusion

I love YubiKeys and 2FA of any kind and I have a key chain with my YubiKey 4 NEO (the backup key stay’s somewhere else) and my 5Ci.

I also carry 2x USB backups (encrypted) and a Tile tracking token.

Pros

Works flawlessly with OTP (HOTP)
Works flawlessly with Insert and Touch (FIDO U2F)
Works well on iOS, Android, Windows, Mac and Linux.

Cons

Black shows dust very well, It would be nice to have them in more colours?

Adding hardware-based 2FA is a long journey but a journey that I don’t regret taking one big. Have a look at https://haveibeenpwned.com/ if you are unsure if this should be your journey. Also, check out the weekly Security Now Podcast for all the news on weekly hacks and security vulnerabilities.

Use the Yubico Quiz to find out what YubiKey us best for you.

https://www.yubico.com/quiz/

Troubleshooting

N/A

v1.0 Initial Version

Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App

October 28, 2018 by Simon

Here is a quick guide to show you how to add two-factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA authenticator app

I have a number of guides on moving away from CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line.

Why Secure WordPress

WordPress CMS is a widely targeted CMS for hackers. View the official WordPress stats on WordPress Version/PHP and MySQL Version. View WordPress vulnerabilities here.

Read the Sucuri 2017 report on reported WordPress Hacks here (spoiler 34,371 infected websites in 2017).

Plugins exist to secure and scan WordPress. Read my blog post here on the now-retired Gravityaity Scan plugin and the awesome WordFence security plugin.

You (and hackers) can scan your site with https://wpscans.com/ or other open-source tools like wp-scan from OWASP ZAP. If you manage a WordPress site I’d recommend you install Kali Linux to scan your site.

Running a wp scan in Kali Linux is easy.

wpscan --url https://fearby.com --debug-output 2> ~/Desktop/wpscan.txt

The output from the Kali Linux wpscan tool

What are Hardware YubiCo YubiKeys

Read my guide here to see what YubiCo YubiKeys are and how to use them.

Get the Two-Factor Plugin for WordPress Plugin

Plugin: https://en-au.wordpress.org/plugins/two-factor/

Two-Factor

Plugin Page at WordPress.org

The source code for this plugin is available (nice): https://github.com/georgestephanis/two-factor. This plugin was updated 2 weeks ago (nice).

Downloading the Plugin

FYI: I do not allow downloading or updating of plugins in WordPress (via FTP), I prefer SSH manual downloading. FTP plugin installation and updating are not allowed on my site.

I got the latest download URL (e.g. https://downloads.wordpress.org/plugin/two-factor.zip) by copying the URL from the download button above.

I connected to my server via SSH and navigated to my WordPress plugin folder

cd /your-www-root/wp-content/plugins

I download the plugin.

[email protected]:/your-www-root/wp-content/plugins# wget https://downloads.wordpress.org/plugin/two-factor.zip
--2018-10-28 14:44:27--  https://downloads.wordpress.org/plugin/two-factor.zip
Resolving downloads.wordpress.org (downloads.wordpress.org)... 198.143.164.250
Connecting to downloads.wordpress.org (downloads.wordpress.org)|198.143.164.250|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 47882 (47K) [application/octet-stream]
Saving to: 'two-factor.zip'

two-factor.zip                             100%[=======================================================================================>]  46.76K  --.-KB/s    in 0.001s

2018-10-28 14:44:27 (37.1 MB/s) - 'two-factor.zip' saved [47882/47882]

I extracted the plugin zip file

[email protected]:/your-www-root/wp-content/plugins# unzip two-factor.zip
Archive:  two-factor.zip
   creating: two-factor/
   creating: two-factor/assets/
  inflating: two-factor/assets/banner-1544x500.png
  inflating: two-factor/assets/banner-772x250.png
  inflating: two-factor/assets/icon-128x128.png
  inflating: two-factor/assets/icon-256x256.png
  inflating: two-factor/class.two-factor-core.php
   creating: two-factor/includes/
  inflating: two-factor/includes/function.login-header.php
   creating: two-factor/includes/Google/
  inflating: two-factor/includes/Google/u2f-api.js
   creating: two-factor/includes/Yubico/
  inflating: two-factor/includes/Yubico/U2F.php
   creating: two-factor/providers/
  inflating: two-factor/providers/class.two-factor-backup-codes.php
  inflating: two-factor/providers/class.two-factor-dummy.php
  inflating: two-factor/providers/class.two-factor-email.php
  inflating: two-factor/providers/class.two-factor-fido-u2f-admin-list-table.php
  inflating: two-factor/providers/class.two-factor-fido-u2f-admin.php
  inflating: two-factor/providers/class.two-factor-fido-u2f.php
  inflating: two-factor/providers/class.two-factor-provider.php
  inflating: two-factor/providers/class.two-factor-totp.php
   creating: two-factor/providers/css/
  inflating: two-factor/providers/css/fido-u2f-admin.css
   creating: two-factor/providers/js/
  inflating: two-factor/providers/js/fido-u2f-admin-inline-edit.js
  inflating: two-factor/providers/js/fido-u2f-admin.js
  inflating: two-factor/providers/js/fido-u2f-login.js
  inflating: two-factor/readme.md
  inflating: two-factor/readme.txt
  inflating: two-factor/two-factor.php
  inflating: two-factor/user-edit.css

Enable the Plugin

Don’t forget to update the plugin in WordPress.

Once the plugin is enabled I can setup Two-factor authentication

Edit your Users

To setup two-factor authentication open your WordPress users screen (/wp-admin/users.php).

Notice the Two-Factor column

Edit your desired user to enable two-factor login options

Scroll down to Two Factor Options header, you will see a QR code that you can scan with your two-factor authentication app (e.g Google Authenticator or YubiCo Authenticator).

Always generate and save backup codes in case you lose your YubiKeys or authenticator app.

You can enable authentication methods as required.

Add the code to your Authenticator app. I will add mine to my Yubico Authenticator app that requires the insertion of a physical YubiKey. I can read my YubiKey via NFC and use my mobile phone to generate one time passwords too. Read here to learn about YubiKey 2FA (touch) devices. I have secured my Ubuntu/Debian and macOSX with these keys,

TIP: Don’t forget to save the user after editing.

Add the YubiKey 2FA (touch) to WordPress logins.

While editing a user click Register New Key under Security Keys

Add your primary and backup YubiKey as required (I added both of mine).

Enable all desired 2FA options

Email (OFF)
Time based One-Time Password (Authenticator App) (ON)
FIDO Universal 2nd Factor (U2F) – YubiKey Insertion and touch (ON)
Backup Codes (ON)

TIP: Don’t forget to save the user after editing.

Users Table

Aim to set up every user who has access to your WordPress to use 2FA.

Mobile 2FA login

I tested logos via mobile and I was prompted to tab my YubiKey to my phone. Nice.

What happens at login?

When One Time Password is enabled as the primary authentication method I am prompted for a one-time password after entering my username and password. I then need to insert my YubiKey (or tap the YubiKey to my phone (via NFC)) to generate a one time password.

When FIDO is enabled I need to insert my YubiKey and press the button.

Conclusion

I can now secure my WordPress site with 2FA protections without expensive security plugins.

I hope this guide helps someone.

More

Setup two factor authenticator protection at login on Ubuntu or Debian

October 14, 2018 by Simon

This is a quick post that shows how I set up two-factor authenticator protection at login on Ubuntu or Debian

Aside

If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.

Buy a domain name here

Now on with the post.

Backup

I ensured I had a backup of my server. This is easy to do on UpCloud. If something goes wrong I will rollback.

Why Setup 2FA on SSH connections

1) Firewalls or whitelists may not protect you from detection.

2) SSH authorisation bypass bugs may appear.

I’ve just relased libssh 0.8.4 and 0.7.6 to address CVE-2018-10933. This is an auth bypass in the server. Please update as soon as possible! https://t.co/Qhra2TXqzm

— Andreas Schneider (@cryptomilk) October 16, 2018

2FA authorisation is another lube of defence.

Yubico Yubi Key

Read my block post here to learn how to use the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software

Timezone

It is important that you set the same timezone as the server you are trying to secure two 2FA. I can run this command on Linux to set the timezone.

On Debian, I set the time using this guide.

dpkg-reconfigure tzdata

Check the time command

> timedatectl
> Local time: Tue 2019-06-25 16:45:20 UTC
> Universal time: Tue 2019-06-25 16:45:20 UTC
> RTC time: Wed 2019-06-26 02:37:44
> Time zone: Etc/UTC (UTC, +0000)
> Network time on: yes
> NTP synchronized: yes
> RTC in local TZ: no

sudo hwclock --show

I set the timezone

> sudo timedatectl set-timezone Australia/Sydney

I confirmed the timezone

> timedatectl
> Local time: Wed 2019-06-26 02:47:42 AEST
> Universal time: Tue 2019-06-25 16:47:42 UTC
> RTC time: Wed 2019-06-26 02:40:06
> Time zone: Australia/Sydney (AEST, +1000)
> Network time on: yes
> NTP synchronized: yes
> RTC in local TZ: no

I installed a npt time server

I followed this guide to install an NTP time server (failed at: ntpdate linuxconfig.ntp) and this guide to manually sync

I installed the Google Authenticator app

sudo apt install libpam-google-authenticator

sudo apt-get install libpam-google-authenticator

Configure Google Authenticator

Run google-authenticator and answer the following questions

Q1) Do you want authentication tokens to be time-based (y/n): Y

You will be presented with a token you can add to the Yubico Authenticator or other authenticator apps,

TIP: Write down any recovery codes displayed

Scan the code with your 2FA Authenticator app (e.g Google Authenticator, Yubico Authenticator or freeOTP from https://freeotp.github.io)

The 2FA code is now available for use in my YubiCo Authenticator app

Q2) Do you want me to update your “/root/.google_authenticator” file? (y/n): Y

Q3) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n): Y

Q4) By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between the authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y: Y

Q5) If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n): Y

Review Google Authenticator Config

sudo nano ~/.google_authenticator

You can change this if need be.

sudo nano ~/.google_authenticator

Edit SSH Configuration (Authentication)

sudo nano /etc/pam.d/sshd

Add the line below the line “@include common-auth”

auth required pam_google_authenticator.so

Comment out the following line (this is the most important step, this forces 2FA)

#@include common-auth

Edit SSH Configuration (Challenge Response Authentication)

Edit the ssh config file.

sudo nano /etc/ssh/sshd_config

Search For

ChallengeResponseAuthentication

Set this to

yes

Ensure the following line exists

UsePAM yes

Add the following line

AuthenticationMethods publickey,password publickey,keyboard-interactive

Edit Common Auth

sudo nano /etc/pam.d/common-auth

Add the following line before the line that says “auth [success=1 default=ignore] pam_unix.so nullok_secure”

auth required pam_google_authenticator.so

Restart the SSH service and test the codes in a new terminal before rebooting.

TIP: Do not exit the working connected session and you may need it to fix issues.

Restart the SSH service a tets it

/etc/init.d/ssh restart
[ ok ] Restarting ssh (via systemctl): ssh.service.

If you have failed to set it up authenticator codes will fail to work.

Failed attempts

Further authentication required
Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Verification code:

When it is configured OK (at login SSH connection) I was prompted for further information

Further Information required
Using keyboard-interactive authentication
Verification Code: ######
[email protected]#

I am now prompted at login to insert a 2FA token (after inserting my YubiKey)

Turn on 2FA on other sites

Check out https://www.turnon2fa.com and tutorials here.

I hope this guide helps someone.

Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

V1.4 June 2019: Works on Debian 9.9

V1.3 turnon2fa.com

V1.2 ssh auth bypass

v1.1 Authenticator apps

v1.0 Initial Post

Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software

October 4, 2018 by Simon

This post aims to show you how you can use a Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and other software and services.

Background

Although I am a developer I do like security related topics and I try and do as much as I can to secure my systems and applications. Reading the Multi-Factor Authentication Wikipedia page has all the details on Multi-Factor authentication.

I have been a big fan of 1Password to generate strong and unique passwords for separate accounts for a while now. Read my guide on upgrading from a standalone 1Password licence to a 1Password subscription. I love generating unique and complex passwords with 1Password.

But what happens if someone gets access to my 1password vault? Yubico has a catalogue of support services that I can use Yubikeys with to have, 1password is one supported service 🙂

I want to add Yubico protections with these services.

macOS Logins (DONE)
macOS Screensavers (DONE)
1Password (DONE)
Dropbox (DONE)
Twitter (DONE)
Google (DONE)
Google GSuite (DONE, WAITING TO VERIFY)
Google GMail (DONE)
Google Analytics and AdSense (DONE)
Github (DONE)
Thunderbird Email (DONE)
Debian servers in the cloud (SSH) (DONE)
Ubuntu servers in the cloud (SSH) (DONE)
Securing WordPress (DONE)

Etc

Final Warning

Do not attempt to activate Two Factor Authentication on a system unless you…

A) Have backups of your data
B) Have backup methods of getting into your account(s)

Murphy’s Law: “Anything that can go wrong will go wrong”

You never know when a Two Factor Authentication Key may die or an Authenticator app or a Mac/PC may stop working so always have a backup method just in case.

General

General Yubico YubiKey Setup guides https://www.yubico.com/setup/

Buying a Yubico YubiKey

International visitors can buy a YubiKey from the official store here. Australian readers can buy a key locally here. I grabbed 2x YubiKey YubiKey Neo 4 (with NFC) for $50 USD (about $75 AUD) each.

This blog post will aim to show how you can set up a primary key and backup key for use on macOS and other apps to add hardware-based two-factor authentication to logins.

Authenticator Apps

You can use Google Authenticator, Yubico Authenticator or freeOTP from https://freeotp.github.io

Plugging the YubiKey into macOS Mojave

First I read this guide: https://www.yubico.com/works-with-yubikey/catalog/macos/

1) I plugged in my Yubico Neo key into my USB slot.
2) I closed the Keyboard setup window that appeared (I guess the YubiKey is a kind of a keyboard to allow inserting of challenge-response character streams into apps and websites).

3) I followed the basic troubleshooting page and confirmed that the key was being detected (yes it was.)

4) I followed this guide to test U2F functionality and this guide to test OTP functionality. Web pages and Google Chome can talk to the plugged-in YubiKey(s).

I was prompted to register a UTF deice (and create an account)

I was prompted to (insert) and touch my Yubico key.

Google Chome asked for some permissions first.

FYI: Chrome 67 is recommended to securely allow the reading of UbiKey’s from web pages. Only allow sites you trust access to your USB devices and use a modern browser.

Success, Chrome could now see my YubiKey and my device was now verified.

Technical data is available to let you know what is going on in the background. I am not going to break down how this works but Yubico has in-depth whitepapers and documentation if you are interested.

Nice

Configuring OSX

I logged into my Mac with the account that I was going to secure.

I performed a complete time machine backup before proceeding. If you lock yourself out you will need to restore OSX from a Time Machine backup.

I Read the “Using Yubico Pluggable Authentication Module (PAM) with Challenge-Response” login guide: https://www.yubico.com/wp-content/uploads/2016/07/yubico_YubiKeyMacLoginGuide_en.pdf

I downloaded the Download the YubiKey Manager

I downloaded the yubikey-manager from here so I could configure the keys to use “HMAC-SHA1 Challenge-Response”.

Oops, I downloaded the wrong tool, good to know this one exists though.

I will update what this tool does in future (update firmware?)

I Downloaded the Yubikey Personalization Tool

I went back to the Yubico download page and downloaded the Personalization tool.

Many options are available here.

It’s time to configure a primary and backup (duplicate YubiKey) for use with macOS etc.

Enable Challenge-Response

I opened the YubiKey Personalization Tool, Inserted my primary key, clicked the Settings tab, and in the Logging Settings group, selected Log configuration output and Yubico format.

I then clicked on the Challenge Response Tab, clicked the HMAC-SHA1 button, selected Configuration Slot 2, ticked “Program Multiple YubiKeys“, changed the “Parameter Generation Scheme = Same for all Keys“, Selected “Fixed 64 byte input” under “HMAC-SHA1 Parameters” and generated a new key (wrote it down).

Under “Configuration Protection” then I selected Enable Protection” I then visited here and generated a 6 digit string to convert to hex array (with spaces (e.g: “70 61 73 73 77 64”)).

Warning: If you set an access code and later forget it, you cannot make any programming changes to this YubiKey. You would need to buy another YubiKey.

I clicked on Write Configuration

If you chose Configuration Slot 1 you will receive a warning about not saving over Configuration Slot 1 due to Yubico VIP/Symantec, I personally do not trust Symantec or the https://vip.symantec.com/ service due to Symantec issuing non-compliant certificates for use on websites. Yubico allows you to swap configuration slots if want to keep the configuration data.

On the output of the first write, I was prompted to save a file. I saved this to “secretkey.csv” onto the Desktop.

When the write to my primary key was successful, I ejected it then inserted my backup key and wrote the same configuration data to it too (on Configuration Slot 2).

Testing the HMAX-SHA1 Challenge

I open the YubiKey Personalization Tool, then click the Tools tab and click Challenge Response. Choose Configuration Slot 2, I selected HMAC-SHA1. I typed a sample input challenge (e.g “hello world”) and clicked Perform.

I noticed the Yubico key touch panel was flashing. I pressed the button, then a response appeared below the input textbox. I copied this response text then insert your second key and perform the same test so I could compare the responses (they should be the same). They were.

If the responses don’t match rewrite the configuration to your primary and secondary keys and ensure the same key and secret was used for both keys.

FYI: I rewrote configuration a few times until I got it right.

Installing the Pluggable Authentication Module (PAM) on macOS

I re-read the Mac login guide here as I don’t want to lock myself out of my Mac.

I opened the Yubico Software Download page here and clicked Computer Login Tools and downloaded the PAM for Mac.

I installed the PAM package and verified the package installation with this command.

ls -al /usr/local/lib/security

Output:

Text Output:

> drwxr-xr-x 3 root wheel 96 9 Oct 10:29 .

> drwxrwxr-x 74 simon admin 2368 9 Oct 10:29 ..

> -rwxr-xr-x 1 root wheel 143172 20 Apr 21:13 pam_yubico.so

Backup macOS

Again I ensured my Mac was backed up with Time Machine.

I logged in to my Mac with the account I wanted to be protected with the Yubico YubiKeys.

I ran the following command in terminal

mkdir –m0700 –p ~/.yubico

I double checked that my Yubico key(s) were set up for challenge response (above).

I inserted my Uubico key and ran this command

ykpamcfg -2

Feel free to read the “ykpamcfg” manual here. The yubico-pam source code is located here.

Output:

The contents of “/Users/simon/.yubico/challenge-#######” looked like (I replaced 232 random chars with #’s below). The filename ended with my keys serial number.

v2:########################################################################################################################################################################################################################################:10000:2

Next, I was supposed to copy the challenge output from ykpamcfg to /var/root/.yubico/challenge-[YUBIKEY SERIAL NUMBER] with this command..

sudo cp /var/root/.yubico/challenge-[YUBIKEY SERIAL NUMBER] /Users/[USERNAME]/.yubico

But I had this error.

No such file or directory

Weird as the source file existed?? macOS issues?

I Opened /Users/[USERNAME]/.yubico/challenge-[YUBIKEY SERIAL NUMBER] in the nano editor (sudo elevated process) and saved the file to /var/root/.yubico/challenge-[YUBIKEY SERIAL NUMBER].

I reopened my terminal and verified the contents of /var/root/.yubico/challenge-[YUBIKEY SERIAL NUMBER]. The file is now there.

Permissions on the file is “-rw——-“. Good.

I inserted my second backuP key and re-ran “ykpamcfg -2” and copied the file to “/Users/simon/.yubico”

I verified the file contents

sudo cd /var/root/.yubico/
ls -al

Output

Text Output:

> drwxr-xr-x 4 root wheel 128 9 Oct 09:50 .
> drwxr-x— 12 root wheel 384 9 Oct 09:39 ..
> -rw-r–r– 1 root wheel 244 9 Oct 09:50 challenge-#######
> -rw-r–r– 1 root wheel 244 9 Oct 09:42 challenge-#######

Snip from: https://www.yubico.com/wp-content/uploads/2016/07/yubico_YubiKeyMacLoginGuide_en.pdf

“Program at least two YubiKeys when implementing a requirement for authentication with a YubiKey on your Mac. If you configure only one YubiKey and something happens to the YubiKey, you must restore the Mac from a Time Machine backup that you created before editing the authorization file before you can log back in to your account. ”

Reading the guide regarding multiple accounts (setting up a Key for each login). I have 5 logins on my Mac but when this works I will disable the other accounts from logging in.

Enable the use of the Yubico key when the screensaver is deactivated on macOS

I opened a terminal and edited “/etc/pam.d/screensaver ” (I use the easier nano editor)

sudo nano /etc/pam.d/screensaver

I added this line

auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response

auth[7 spaces]required[7 spaces]/usr/local/lib/security/pam_yubico.so mode=challenge-response

I saved the file ( [CTRL+O], [CTRL+X] ) and exited nano.

I tested my screensaver and no extra protection was provided (the screensaver just exited).

I rebooted, still no change?

I reinstalled the PAM module.

Silly me, I needed to enable the password on the screensaver to then activate the /etc/pam.d/screensaver entries.

I enabled the screensaver passwords

I am now prompted to enter my password and inset and tap my Yubico Key on screensaver exit (on both keys). Awesome.

Next, I need to enable this at macOS login.

Enable the use of the Yubico key at macOS Login

I edited /etc/pam.d/authorization file with nano in the terminal

sudo nano /etc/pam.d/authorization

I added the same line as was added to the file /etc/pam.d/screensaver

auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response

auth[7 spaces]required[7 spaces]/usr/local/lib/security/pam_yubico.so mode=challenge-response

I saved the file ( [CTRL+O], [CTRL+X] ) and exited nano.

Now let’s log out and test this.

It’s working.

Excellent

Add Two Factor Authentication to 1Password

Here is a guide on using the Yubico YubiKey with 1Password. This directed me to https://support.1password.com/yubikey/

I downloaded the Yubico Authenticator app on macOS and installed it.

After I inserted my primary Key I received a “No Credentials Found”message.

I logged into https://my.1password.com/signin and clicked My Profile.

I clicked More Actions then Turn On Two-Factor Authentication

I added the generated QR code details to the Android Authenticator and macOS Yubico Authenticator app. At first, I could not scan the QR code in macOS (was Mojave blocking this?), I manually entered the details (after confirming them from the Android app QR code scan).

Details:

Issuer: 1Password
Account Name: my.1password.com
Secret Key: ###################
Time: 30
Algorithm: SHA-1
Period: 30
Digits: 6

Now, 1Password web and the desktop app are asking for the 2-factor code (generated in the Yubico Authenticator app after I insert my YubioKey).

Nice

I logged off and I was not prompted for my Two Factor code?

Snip from: https://support.1password.com/two-factor-authentication/

“Your 1Password account is now protected by two-factor authentication. From now on, you’ll need to enter a six-digit authentication code from your authenticator app when you sign in to 1Password on a new device.”

I logged in to 1Password from Google Chrome on Android and indeed I was prompted for a two-factor auth code form the Yubico Authenticator app (with a KubiKey inserted).

Add Two Factor Authentication to Dropbox
I read https://www.yubico.com/works-with-yubikey/catalog/dropbox-personal/. Dropbox also has setup instructions here.

I logged into Dropbox and went to Settings then Security then clicked Add next to Security Keys

I started the Wizard, entered my Dropbox password, then inserted my YubiKey.

Name the Key

I added my Primary and Backup Key(s)

I logged out and back in and no Security Key prompt?

I am using Chrome and had cleared past browsers from the Dropbox list of web browsers at https://www.dropbox.com/account/security

I discovered that I need to set the primary authentication method to Use Mobile App (My Bad, it would be nice if Dropbox set this as default after I added the keys).

I added the Dropbox QR code to the Yuboico Authenticator app

I was asked to enter a 6 digit code from my Yubico Authenticator app to verify the working link. I inserted my YubiKey into my machine to show the code.

Now Dropbox is configured 🙂

Success

I now have to insert my primary key when logging into Dropbox

I need to find a way to copy my Authenticator credentials to my Backup Key from my Primary key

Add Two Factor Authentication to Twitter

I read https://www.yubico.com/works-with-yubikey/catalog/twitter/ (Setup Instructions)

1) Login to Twitter

2) Open your Settings and Look For Security

3) Click Start

4) Enter Your Password

5) Accept and enter any SMS codes if you set up SMS Two Factor codes via SMS

6) Click “Review your login verification methods”

7) Click “Setup Key”

8) Insert Your YubiKey and follow the prompts to activate it.

9) Now the key will be requoted to log in to Twitter

Testing Two Factor Login to Twitter

I logged out of and back into Twitter but the SMS Two Factor Authentication method was still active?

I tried to disable the SMS method in Twitter but two factor was disabled altogether and the registered key was deleted. I re-added my key 🙁

I solved this by choosing “Choose a different verification method” when logging in then choosing “Use your security key“, Twitter then accessed my YubiKey and further login attempts used the key instead of SMS 🙂 I could use an Authenticator code but they YubiKey touch method is quicker.

Done

It would be nice if Twitter allowed multiple keys to be used to log in?

Add Two Factor Authentication to Google, Google cloud, Gsuite etc

I read https://www.yubico.com/works-with-yubikey/catalog/google-accounts (Instructions https://myaccount.google.com/).

Adding two Factor authentication details to Google was not easily accessible at Google so I Googled (lol) this https://support.yubico.com/support/solutions/articles/15000006418-using-your-yubikey-with-google

I loaded: https://myaccount.google.com/signinoptions/two-step-verification/enroll-welcome

I clicked Get Start

I clicked Choose Another Option (not SMS Two factor)

Clicked Security Key

As prompted I inserted my key and allowed access to it.

I named the Key

I repeated the steps and added my 2nd key.

Done

I logged out my https://myaccount.google.com and logged back in and I was prompted to insert my YubiKey

Nice

I did try and login to my google GSuite account at https://admin.google.com but it did not prompt me to insert a key. I will do this next.

Add Two Factor Authentication to GSuite

I logged into the GSuite admin interface at https://admin.google.com/ I generated some backup codes in case I need them in the future.

I checked my main admin user account and I could see the 2 google security keys synced through from Google.

I then searched GSuite for “Two Factor” and loaded the “Enforcement” Page

I enabled “Turn On Enforcement Now”

I enabled “Only Security Keys”

I logged out and back into https://gsuite.google.com/ TWICE and no security key prompt.

Silly me: I forgot to click save at the bottom of the screen and it appears there is a 24-hour delay?

Add Two Factor Authentication to GMail

This is already done (above), GSuite email takes up to 24 hours to become active, GMail is instant.

Add Two Factor Authentication to Google Analytics

I can’t see an option to turn Two Factor Auth on in Google Analytics 🙂

I did send feedback to the Google Analytics team.

Add Two Factor Authentication to Google Adsense

I can’t see an option to turn Two Factor Auth on in Google Adsense either 🙂

I did send feedback to the Google AdSense team.

Add Two Factor Authentication to Github

I logged into Github, opened my Settings and clicked Security then Enable two-factor authentication

Click Setup using an app save the recovery codes.

Open the Yubico Authenticator app (ensure you can see the QR Code in GitHub)

In the Yubico Authenticator, App click File then Scan QR Code

The GitHub details should be added to the Authenticator

Two Factor via authenticator tokens is enabled and now I can see a Keys options,

I clicked Add next to security keys then Register New Device, I gave the key a name then clicked Add.

I added both keys then I Logged out and back in and two factor was enabled by YubiKey 🙂

Add Two Factor Authentication to Debian servers in the cloud (SSH)

Read Setup two-factor authenticator protection at login on Ubuntu or Debian

Add Two Factor Authentication to Ubuntu servers in the cloud (SSH)

Read Setup two-factor authenticator protection at login on Ubuntu or Debian

YubiKey Support

There are loads of Yubico support articles here: https://support.1password.com/yubikey/

Yubico Developer Info

A GitHub repository of source code is located here: https://github.com/Yubico

Other developer related pages here

Securing WordPress

Read this guide on Securing WordPress with 2FA (YubiKey insertion or Authenticator app).

I found a good WordPress plugin to handle 2FA logn methods.

I am prompted to insert my YubiKey after logging into WordPress.

Nice

Java Code to use the Yubico YubiKey in software (challenge mode)

todo: I will add this section soon.

Yubico has Java repository that contains a Java library with an accompanying demo server, as well as a JAAS module, to validate YubiKey OTP’s (One-Time Passwords).

https://developers.yubico.com/yubico-java-client/

PHP Code to use the Yubico YubiKey in software (challenge mode)

todo: I will add this section soon.

Yubico has PHP library ad source code but it has not been updated in 3 years. I cannot get this working on PHP 7.2.

https://github.com/Yubico/php-yubico

Using Yubico YubiKeys as 2fA with one-time Passwords.

The YubiKeys can be used to store and generate one time passwords.