Yubico FIDO U2F key quick review

Yubikey
Yubikey in tamper-resistant package

A few days ago I ordered some Yubico FIDO U2F security keys, after reading that they are a useful way to help secure various online accounts and keep intruders out. These cost US$18 each, either singly or in 50-unit bulk packaging.  They arrived, packaged inconspicously, promptly after I placed my order. They’re cheap enough that they can be used for personal infosec or for your org or company.

The individually packaged devices come in small vinyl pouches with tamper-evident seals. They are USB devices, for the the traditional USB A and B socket. They are narrow enough to fit in a USB socket even when another device is in the next socket.

Personally, I have been using the Google Authenticator app on my smartphone for several years to provide two-factor authenticaion (2FA). Any online account of mine that supports 2FA has it. This includes email, github, dropbox, and others.  However, the Authenticator has a frustrating limitation. Upon retiring one smartphone and replacing it for another, its settings don’t carry over. When this happened to me, I was able to recover access to most of my accounts by using one the emergency one-time passwords issued to me. But one service (I’m looking at you, AWS) doesn’t offer emergency passwords and I had to go through a manual recovery process. It was secure, but it took a while.

So, naturally I’m curious about alternatives to the Authenticator app. Let’s give this Yubico gizmo a try.

Inserting the Yubikey
Inserting the Yubikey

In the tiny little package there was a URL yubico.com/sec. It takes you to an https-secured web site.

Scrolling down shows various choices for enabling the key.  I chose the link marked “Add a Security Key for 2-step verification” in the instructions for “Setting Up Your Google Account.”

Google asked me to repeat my password, then took me to their 2-step verification page.  Scrolling down to the bottom revealed a link marked “ADD SECURITY KEY.”

Clicking the link took me through a straightforward wizard-style setup sequence. I was prompted to insert the key, then tap the little disk on the device. That was it. The device was enabled. The device requires the use of Google Chrome to get into gmail.

Once I enabled the device, authenticating to Gmail was easy. It prompted for user name and password. Then I inserted the device and the little key on the gold disk started flashing. I tapped the disk and I was in.

Adding two-factor to your WordPress installation

You can easily add two factor authentication to your WordPress installation. (To use a FIDO U2F key like this one, your WordPress site needs to be on https, not http). Here’s what you do.

  1. Use Google Chrome as a browser.
  2. Log in to your WordPress installation as an administrator.
  3. Install and activate George Stephanis’s two-factor plugin.
  4. Visit your profile page.
  5. Scroll down to the button that says Register New Key, and push it.
  6. Insert your FIDO U2F key into your machine and tap the little blinking disk. Wait for the page to refresh.
  7. Find the section called Two-Factor options and enable the ones you want. It’s a good idea to enable the single-use backup verification codes in case your dog (FIDO?) eats your key. Save the verification codes in a safe place.
  8. Scroll to the bottom and click Update Profile

According to the plugin page it’s under active development. So pay attention to plugin updates.

Leave a Reply

Your email address will not be published. Required fields are marked *