A few days ago I ordered some Yubico FIDO U2F security keys, after reading that they are a useful way to help secure various online accounts and keep intruders out. These used to cost US$20 each singly and $18 each in bulk. The current (Dec 2020) product costs $24.50. They arrived, packaged inconspicously, promptly after I placed my order. They’re cheap enough that they can be used for personal infosec or for your org or company.
The individually packaged devices come in small vinyl pouches with tamper-evident seals. They are USB devices, for the traditional USB A socket. They are narrow enough to fit in a USB socket even when another device is in the next socket.
The vendor offers several other products, covering USB-C, lightning, and other connectors.
Personally, I have been using the Google Authenticator app on my smartphone for several years to provide two-factor authentication (2FA). Any online account of mine that supports 2FA has it. This includes email, github, dropbox, and others. However, the Authenticator has a frustrating limitation. Upon retiring one smartphone and replacing it for another, its settings don’t carry over. When this happened to me, I was able to recover access to most of my accounts by using one the emergency one-time passwords issued to me. But one service (I’m looking at you, AWS) doesn’t offer emergency passwords and I had to go through a manual recovery process. It was secure, but it took a while. (Google’s jargon for 2FA is “two-step verification”. They’re the same thing.)
So, naturally I’m curious about alternatives to the Authenticator app. Let’s give this Yubico gizmo a try.
In the tiny little package there was a URL yubico.com/sec. It takes you to an https-secured web site.
Scrolling down shows various choices for enabling the key. I chose the link marked “Add a Security Key for 2-step verification” in the instructions for “Setting Up Your Google Account.”
Google asked me to repeat my password, then took me to their 2-step verification page. Scrolling down to the bottom revealed a link marked “ADD SECURITY KEY.”
Clicking the link took me through a straightforward wizard-style setup sequence. I was prompted to insert the key, then tap the little disk on the device. That was it. The device was enabled. As of February 2018 the device requires the use of Firefox or Google Chrome to get into gmail; other browsers haven’t added the necessary support yet.
Once I enabled the device, authenticating to Gmail was easy. It prompted for user name and password. Then I inserted the device and the little key on the gold disk started flashing. I tapped the disk and I was in.
Longevity
At the end of November 2020 my Yubikey has been on my keyring in my pocket for about three years. I’ve dropped it in dirty slush on a street. It still works just fine.
Adding two-factor to your WordPress installation
You can easily add two factor authentication to your WordPress installation. (To use a FIDO U2F key like this one, your WordPress site needs to be on https, not http). Here’s what you do.
- Use Google Chrome as a browser.
- Log in to your WordPress installation as an administrator.
- Install and activate the Two-Factor plugin created by Automattic people.
- Visit your profile page.
- Scroll down to the button that says Register New Key, and push it.
- Insert your FIDO U2F key into your machine and tap the little blinking disk. Wait for the page to refresh.
- Find the section called Two-Factor options and enable the ones you want. It’s a good idea to enable the single-use backup verification codes in case your dog (FIDO?) eats your key. Save the verification codes in a safe place.
- You can also use of Authy, Google Authenticator, and other TOTP second factor apps. If you use Apple’s Safari browser, you should do this; that browser doesn’t support U2F.
- Scroll to the bottom and click Update Profile
According to the plugin page it’s under active development. So pay attention to plugin updates.