IoT, Code, Security, Server Stuff etc

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

YubiKey 5C NFC

Yubico 5C NFC USB-C Hardware Two Factor Security Key etc

by

I have been using Yubico YubiKeys since 2018. I have blogged a bit about them before:

At first, I used my YubiKeys to secure Mac OSX, websites I used then services like 1Password, Dropbox, Twitter. Google Mail, Github, WordPress. Now I have over 80 websites and servers protected with my YubiKeys.

I also used my YubiKeys to secure servers I setup (protecting Command-line SSH Sessions).

Security Basics

Before I begin showing the YubiKey 5C NFC device I would like to explain a bit about…

  • a) Strong Passwords, Not Reusing Passwords
  • b) Hacked Websites and Data Breaches

(Apologies for click-baiting and not showing the YubiKey 5C NFC right away but I love Security)

a) Secure Passwords, Not Reusing Passwords

Hackers trying to obtain your login and password could use Brute Force Attacks, Dictionary Attacks and other ways to try and break into your accounts.

If you have not heard of or used http://howsecureismypassword.net/ head over there now and enter your password (or enter a part of your password if you do not trust them).

Enter your password into howsecureismypassword.net

I entered an old password I used a lot in 1990’s and https://howsecureismypassword.net/ said it a computer will take 1 day to guess/generate my password.

https://howsecureismypassword.net/ 1 day to guess my password

I entered a more complex password generated in my password manager (1Passwsord) and now it will take 68 quattuorvigintillion years for a computer to guess/generate my password.

68 quattuorvigintillion years to gues my password

That sounds good but it is not, computers are getting faster and websites can still be hacked directly (bypassing complex passwords). When a website is hacked data is sold far and wide in minutes.  Anyone who obtains or buys hacked usernames and passwords will try and use those credentials on as many sites as possible.

TIP: Do not use the same password across different websites, if one site is hacked an attackers will know your password on other sites. Even if the hacked website used encryption to hash your password before storing it hackers can use Rainbow Tables to know the real password to speed up obtaining your password.

b) Hacked websites and Data Breaches

How do you know what sites have been hacked?

Enter https://haveibeenpwned.com/

Go to https://haveibeenpwned.com/ and enter your emails address and click “Pwned?” to see if your email has been obtained in past known data breaches. You can also check your password too.

https://haveibeenpwned.com/ at (great expense and complexity) indexes hacked data (called pastes) from known website breaches in as little as 40 seconds of the information appearing online. Hacked data from websites are published online to validate the hacker’s valuable data (in order to sell it) or to show a hackers achievement.

https://haveibeenpwned.com/ is a safe site run by https://www.troyhunt.com/ and is an industry-standard for sharing information about hacked websites in order to protect exposed in those hacks.

I entered my email address into https://haveibeenpwned.com/ 

Enter you email address into https://haveibeenpwned.com/

My email address has been found in multiple hacks

Enter you Email.

A full list of hacked websites with my email and password is displayed.

List of hacked websitres

When sites I was using were hackled only 1% of the sites bothered to notify me. You could have been hacked in the past and you may not be aware of it.

Subscribing to be notified when your emails(s) are seen in pasted in highly recommended (and it’s free).

Notify Me Form

fyi: Awesome Security Now Podcats

If you want to stay up to date with online security and the never-ending race for security check out the free Security Now Podcast that has been running from 2005 to 2020.  Steve and Leo do a great job ant breaking down very very very complex security topics for non-tech geeks every week.

Password Manager + YubiKey

You are still reading, good.  I know this is bad news but you need to know this stuff.

So I hear you say how can I generate (different passwords per site) and store those passwords securely?  This sounds like a plug (it’s not) but I use 1Password password manager.

1Password is an awesome password manager I use to generate and store secure passwords and best of all it only costs $2.99 USD a month (or $39.47 AUD paid annually). Here is a 3-year-old post of mine showing an older version of 1Password. I like 1Password because it’s super secure, integrates with YubiKeys and https://haveibeenpwned.com/ and works well on Windows, MacOS, iOS and Android.

1Password integrates with HaveIBeenPwned and 1Password 🙂

1Password is the right price for me and for the features it provides.

1password pricing page

1Password allows you to generate strong passwords.

1Password Password generator

fyi: Here is a list of all password managers (some free) at Wikipedia.

Of you can use https://www.grc.com/passwords.htm to generate really strong passwords manually.

Why Use YubiKeys

If you use a really simple password, reuse a password (I know you do) or you know a site will be hacked one day a YubiKey can be a physical thing you have that a hacker does not have.

Think of the YubiKey as a physical password that hackers cannot steal.

Well, you can be mugged and your YubiKey could be stolen but will they have your email and password that is needed with the key to log in to a site?

My YubiKey’s

My 3 YubiKeys

My YubiKey 4 NEO (on the right) has been used about 5,000 times and it is still going strong.

YubiKey 5Ci (for Mobile)

If you need a YubiKey with a Lighting and USB C plug (without NFC) check out this review.

Yubico YubiKey 5Ci with USB-C and Lightning connector for mobile devices

Why use NFC?

Why is NFC so good? The USB Standard only allows for 10,000 inserts and removals before the pins wear out. The Wireless nature of NFC has no impact on lifespan.

YubiKey 5C NFC

On the left, you can see my YubiKey 5C NFC compared to the YubiKey 5Ci (in the centre) and the YubiKey 4 NEO (on the right).

My YubiKeys

YubiCo YubiKey 5C NFC Welcome Video

The YubiKey 5C NFC has a USB C plug and NFC. For me, this is the perfect key.

The YubiKey has a selection of covers that (for all keys) that you can stick onto the keys to stylize them and tell the difference between when you have multiple keys.

YubiStyle Covers.

I went with a Polka Rainbow Cover

Cover Applied

My cover application was not a perfect application by me but it’s Wabi-Sabi enough for me.

YubiKey with Cover on

YubiKey Authenticator

When you use a YubiKey on a site that supports them you will either be prompted to Insert and Tap they key after the traditional login process

Insert YubiKey

Or enter a 6 digit code that is randomly generated in the Authenticator App (and valid for 30 seconds).  To obtain this code you will need to install the YubiCo Authenticator for Windows, MacOS or Mobile (iOS or Android)

Download the Free Authenticator App here: https://www.yubico.com/products/services-software/download/yubico-authenticator/

Inserting or Tapping the key will display the linked sites and 6 digit codes.

YubiKey OTP Diagram
Image credit: https://developers.yubico.com/yubioath-desktop/

I have many websites OTP’s stored in my Keys 🙂

My OTP Passwords

How to use the YubiCo Authenticator App Video on the YubiCo YouTube channel

How to find sites that use 2FA/MFA

Head on over to https://twofactorauth.org/.

https://twofactorauth.org/ allows you to find sites that use (or do not use) 2FA.

https://twofactorauth.org/ allows you to find sites that use (or do not use) 2FA.

For example, you can search for (e.g “play”) and see if the matching sites have 2FA enabled to protect logins.

My Google Play, PlayStation and Ubisoft UPlay accounts are protected with 2FA.

Searched fore Play

You can also view categories and see what websites and services are up to date. This can be handy if you are looking for a product or service. Go with the most secure provider.

List of sites thta use 2FA

Common Site 2FA Instruction Pages

Here is a list of common social media sites and their instruction pages for enabling 2FA

 

Using the Yubico 5C NFC on a Computer with no USB C Plug?

My Windows 10 PC has a USB C Plus but its on the rear of my PC.

USB C at the rear of the PC

It is a pain plugging my key into the USB C plug at the back of my PC so I ordered a $5 USB 3 to USB C adapter so I can plug this into the front of my PC

USB to USB C Adapter

I have an 8 way USB 3 (externally powered) USB Hub under my monitor to easily connect my many dongles and USB devices into.

The YubiKey 5C NFC sits high in the adapter but it allows me to use it easily on my PC when needed and more importantly I can use the USB C plug on my phone without an adapter.

USB Hub

USB (standard Plug, Lightning or USB C YubiKey have you covered.

https://www.yubico.com/store/

Risks of Hardware 2FA

If you damage or lose a YubiKey you could be locked out of a website or service. When possible I use multiple YubiKeys so you have a backup device to login with.

Multiple YubiKeys

I can add multiple YubiKeys to Dropbox

add key to dropbox

Sites will also provide a list of recovery codes you can use in case you lose your YubiKey’s. Save these codes in a safe place (you will only be given them once)

Dropbox Recovery Codes

1Password is great for storing backup codes.

Purchasing a Yubikey 5C NFC

You can buy YubiKey’s from…

Conclusion

My new YubiKey 5C NFC is sitting proudly in my YubiKey collection. I use One key for work, one key for Home (PC Use) and one key for Mobile use.

YubiKeys on my Keychain

YubiKey 5C NFC Pros

  • NFC (I use this a lot on mobile and at work on NFC printers for authentication)
  • No batteries required
  • Durable
  • Multiple usage modes (6 digit codes or insert and press)
  • Works well on my Android Phone with USB-C Plug
  • Physical security to back up my online credentials

YubiKey 5C NFC Cons

  • You need to opt-in on sites to use it (not really a con)
  • You need a PC with USB C plug to easily access the YubiKey 5C NFC.

The YubiKey 5C NFC comes at a time when “Human Malware” related phishing attacks continue to surge. I have thousands of hack attempts on my website and email daily so I know I need to stay a step ahead of hackers.

I know companies who were hacked, could not care less if my username and password were breached.

YubiCo YubiKeys allow me to feel safer online

Links

v1.0 : Initial Draft