Why I Like YubiKeys
*Updated on November 16, 2022
First off I just want to make a statement that I'm not sponsored by Yubico, neither am I selling their products. I just think their products are cool and I like to promote privacy-focusing solutions.
Privacy Concerns with 2 Factor Authentications (2FA) Using Phone Numbers
Many 2FA solutions requires that you let a service company know your phone number to be able to authenticate on their application or website. A phone number is a very strong link to your real identity. Most people don't multiple phone numbers and rarely ever changes it. This might be fine if you want to authenticate to your bank account, but is this piece of information necessary for every account? Are there better ways? What if your phone number, along with your personal information, get abused?
Phone number, 2FA and Big Tech
When 2FA with phone numbers started to be required by Big Tech Companies like Google and Facebook, it was marketed to make your account more secure. While that might be true, if implemented correctly and with no malicious intent behind it, you had to basically give up your real identity. Some people might have good reasons to be anonymous on these platforms, but that is no longer an option. I can imagine one good excuse for the Big Tech platforms, that they want to prevent bots, but that doesn't seem to be working so effectively. But you can trust platforms like Google, Twitter and Facebook that they are keeping your phone number safe right? Well...
...Big Tech platforms have continually exploited their users personal information, whether it be intended or unintended. After reading a few articles, the only conclusion I can come up with, is that they are either malicious or stupid. Either way, they should not have a right to store personal information anymore.
Facebook Wants to 'Normalize' the Mass Scraping of Personal Data
https://www.vice.com/en/article/7kvp7y/facebook-normalize-mass-scraping-personal-data
Twitter sold users phone numbers:
https://threatpost.com/twitter-uses-phone-numbers-emails-to-sell-ads/149014/
Facebook users’ phone numbers reportedly being sold on Telegram:
https://nypost.com/2021/01/26/facebook-users-phone-numbers-being-sold-on-telegram-report/
Facebook knows your phone number, even if you are not on Facebook
https://eu.usatoday.com/story/tech/columnist/baig/2018/04/13/how-facebook-can-have-your-data-even-if-youre-not-facebook/512674002/
If You Use SMS 2FA on Facebook, your phone number is searchable
https://www.howtogeek.com/406696/if-you-use-sms-2fa-on-facebook-your-phone-number-is-searchable/
HANLON’S RAZOR:
"Never attribute to stupidity that which is adequately explained by malice."Murphy’s Law Book Two: More Reasons Why Things Go Wrong
Phone Tracking
Being able to track your phone when it becomes missing might be a convenient feature. I mostly just ask someone to call my number and usually that's enough. But what if it get's stolen? Sure, you might be able to find out where the phone is located, but will the law enforcement have time to care about it? You probably have to go there yourself with a couple of friends and some baseball bats, if you think it is worth the hassle. However, if I was a phone thief, knowing their trackability, even when turned off, I would not be so stupid to start using it myself, or selling it in the same location. I would probably sell it in some other country.
While there is a benefit of being able to track your phone, it also means that Google and Apple can track You. This is because of the fact that we almost all the time are carrying our phone with us. This feature was very tightly coupled with the TRACE Act in the United states, that had a purpose of tracing the spread of the... you know... Anyway, what else can this technology be used for?
"To authorize the Secretary of Health and Human Services to award grants to eligible entities to conduct diagnostic testing for COVID–19, and related activities such as contact tracing, through mobile health units and, as necessary, at individuals’ residences, and for other purposes."
H.R.6666 — 116th Congress (2019-2020)
Cross Device Tracking
Google and other platforms uses something called Cross Device Tracking. You may have experienced it when you login to your Google account with a new device, that it ask you to approve the connection from your phone. Since they already have your phone number, and the Google apps on your phone collects information like the IMEI number, they can be pretty confident that it is your phone. When you approve the new device from your phone, Google can now also be pretty sure that whatever device you just logged in from, also belongs to you.
SIM Swap Attacks
A hacker can call a carrier and claim that your phone number, is his phone number, and says that he lost his phone, or it got stolen. He then asks to get his (your) old phone number transferred to a new carrier. The carrier representative will then ask some generic questions (name, address, personal ID number). Usually, no actual verification of physical ID is required. When the phone number has been swapped to the new carrier, the hacker can use the button “forgot password” on all 2FA accounts using that number, enter new passwords, and you will be locked out of everything.
An even easier method for the hacker would be to partner up with a carrier representative and pay a fee. No questions asked at all.
You would notice this type of attack if you suddenly lost contact with your carrier.
How to prevent SIM Swap Attack
Don’t use the same 2FA solution for your bank account and email account.
Having a phone with dual SIM slots, you can use one number for contacts, and one number for 2FA.
Conclusion
In my analysis, 2FA using phone numbers are:
Not safe
Extremely privacy infringing
Being abused by big tech platforms all the time
There must be better solutions to protect your account, while still prevent your personal information from unavoidably leaking, without your consent.
Solutions to restrict tracking from Big-Tech requiring phone number
Restricting what personal information you give out to service companies is probably the best thing you can do to avoid it being leaked on the Internet. However, it takes some effort getting there.
Use a de-googled AOSP phone or Linux phone with dual SIM slots and purchase a phone number only known to you. Use that other number for 2FA.
For Google account or other accounts that mandates having an app and a phone number: Get a phone with google services on it, but don’t install a SIM card. Put the phone in faraday bag when not used.
One might say that scammers and other criminals could potentially also use these techniques, but in my opinion, that's a tradeoff I'm willing to accept. If you give up your privacy for security, you will end up with none of them in the end.
TOTP = Time-Based One-Time Passwords
TOTP involves a shared key generated from a server, an algorithm and time to generate a six or eight digit OTP. Phone number is not involved. I found this blog that explains it pretty well:
https://rublon.com/blog/what-is-totp/
There is also a version called HOTP. You can read about the differences between TOTP and HTOP here:
https://developers.yubico.com/OATH/
TOTP is way better than using your phone number to receive SMS OTPs, but it still has some security concerns:
The device used for TOTP 2FA could be connected to the Internet, making the device exposed to threats that could compromise the TOTP algorithm.
If your device gets stolen, you have to restore all your generated keys. A good practice is to store them in a password vault or have a paper backup. You also risk getting the algorithm hacked.
Now we finally come to the YubiKey part.
YubiKeys
YubiKeys are physical keys for your computer and accounts, in the same way that you use a key to open your car or door. You plug it into your computer or smartphone, tap the key and then you are authenticated, instead of using passwords that can be hacked or forgotten. Some models also supports NFC.
Benefits of using YubiKey with YubiKey authenticator for TOTP authentication
The algorithm is stored on the hardware key, which is not connected to the Internet (Air Gapped).
Less risk of getting the key stolen. The key can also be protected with a password (Optional).
Can read your codes, or generate new codes, on any device having the YubiKey authenticator app installed.
Other YubiKey Features
FIDO2 Authentication
FIDO2 is a passwordless authentication standard. Just use your username and YubiKey instead. You can read more about the standard on the FIDO Alliance website:
https://fidoalliance.org/fido2/
By the way, a funny thing is when I search for FIDO2 on the Internet, this shows up on the first page:
FIDO2 authentication can be used for many applications already, although many applications that I use are still missing it. Some services that support it today are:
Windows domain login with Azure AD (not On-prem AD for some reason).
Any personal computer that is not connected to a domain can be configured with FIDO2
Ubuntu20.04
Windows 10
Mac
Nextcloud
A bigger list exist here:
https://hideez.com/pages/supported-services
Certificate Store (PIV)
The YubiKey has a certificate storage, making it usable as a smart card. This can have many use-cases. One might be to elevate admin privileges on a computer, or to access webpages that requires certificates.
The Certificate storage support both RSA and ECC certificates.
Multiple YubiKeys for backup
You can use two or more keys for backing up your TOTP codes and FIDO Web authentications. You basically just enters the same TOTP or FIDO2 information on multiple YubiKeys. That way, losing one key won't create as much of a hassle, since you already have another one, ready to go.
Final Thoughts
The reason I like YubiKeys is that it keeps my personal information safe, at the same time leveraging features that create robust security. The fact that it doesn't require a phone number, an Internet connection or a specific device, also helps avoid leaving traces on which device you are using to authenticate.
YubiKeys are also used in many big companies and I happen to do work for one such customer that just bought a bunch of them. I'm looking forward to start implementing them.
There is going to be more How-To related posts on Yubikeys in the future. Right now I'm only using them to authenticate to my Nextcloud platform. I'm very happy with them so far.
Special Mention
Thanks to Rob Braxman Tech for shining light on the problems with 2FA and inspiring me to dig deeper and write this blogpost.