Secure All The Things Using a Yubikey for 2-Factor on (Almost) All Your Accounts Jesse Stengel The University of Arizona
What is a Yubikey? Yubikeys are small USB devices made by Yubico for doing various kinds of two-factor authentication using a secure element. They (currently) come in six varieties.
What can I use them for? Just about everything, including: U of A VPN Gmail (and all Google services) Dropbox Github Your personal laptop SSH Windows domain login And many more
More flexible than most people think Most people know Yubikeys for their OTP mode but the current products (Yubikey 4 and Neo) actually have four separate modes: OTP/HMAC U2F PGP/GPG NIST 800-73 PIV Smart Card
OTP: The mode you probably know OTP (One-time Password) mode was what Yubikeys started with, and is still widely used. You push the button, it spits out a one time password. It can be used for things such as VPN/Duo authentication on campus, when set up per UITS guide.
HMAC-SHA1: More functionality in OTP mode The basic Yubikey mode includes two OTP slots. However you can configure them not only for OTP login, but for HMAC-SHA1 challenge/response, using the Yubikey Personalization Tool.
This enables 2-factor login on a standalone system By programming in a secret key and using Yubico s Windows Login Tool you can require a key to be inserted, in addition to a password for any local account you choose. https://www.yubico.com/support/know ledge-base/categories/articles/useyubico-windows-login-tool/
Works like regular login but requires a Yubikey
U2F: Zero-configuration security for the web U2F (Universal 2 Factor) is a FIDO standard created by Yubico, Google and NXP that allows you to use one key to securely add 2-factor authentication across all supported websites. Supported on all Yubikey 4s and Neos, and also available from other vendors. Requires no user or IT configuration, just insert and go. Works with an increasing number of sites like Google, Facebook, Dropbox and Github.
Easy to set up Just add the key to your account:
Login as normal
and then insert your key
It s that easy! Precise interface varies service by service but they are all simple. No setup, no key exchange. Since keys aren t stored, no limit on number of sites. On the web, currently only works in Chrome.
PGP/GPG: Old-school encryption on a new device Yubikeys have full support for the OpenPGP standard, allowing them to store PGP keys for authentication, encryption and signing on a Yubikey itself. Private keys are stored on the secure element, in write-only mode, protected with a PIN or passphrase. Public keys are made available to the system when you plug in the Yubikey. Lets you securely transport your PGP keys with you anywhere.
Works with almost anything PGP/GPG Fully integrates with the open source GPG2, which is included in most Linux distributions and available for Windows as GPG4Win. Also integrates with the commercial Symantec PGP. Can be used to do 2-factor login via SSH on Linux, though it is a bit flakey.
A bit fiddly to work with though To do any management of keys you have to use the command prompt for gpg:
NIST 800-73 PIV: A Smart Card for your keychain All Yubikey 4s and Neos function as an integrated smart card reader and smart card with full support for all PIV features that let you do anything you can do with a normal smart card including: 2-factor Active Directory authentication 2-factor SSH authentication 2-factor U of A e-mail encryption/signing
Active Directory has full 2-factor built in AD is ready to go for 2-factor auth without any additional schema expansions or changes. 2-factor authentication is not mutually exclusive with password authentication, you can use both, or set it on a per user or system basis. Requires an Active Directory Certificate Authority, which is a bit complex to set up. Yubico has more information here: https://www.yubico.com/wpcontent/uploads/2016/03/yubikeypivdeploymentguide_march25_201 6_FINAL.pdf
Smart Card login in action
Works everywhere you need a password Not just for local system login, works for: Shares Domain join RDP Passes through RDP sessions by default, so you can use it at any layer.
RDP-to-RDP login
Use the same certificate for SSH 2-factor Most SSH servers support authentication using SSH keys which is a public/private keypair. Works on Linux, BSD, many network switches routers, etc. The same key slot used for AD logon works great for that as well. When used from the Yubikey, it is portable, secure and 2-factor. All you need is a modified version of Putty called Putty CAC available here: https://github.com/nomorefood/putty-cac/releases
Using Putty CAC to get the SSH key Putty CAC can generate the SSH key string you need for you. Just choose the CAPI certificate you want to use, and pick Copy to Clipboard.
Paste the key in to the SSH keys file/config On Linux, usually a file in the.ssh directory. On network equipment usually a command you issue. Here s an example from a Dell N2000 switch:
2-factor login with Putty CAC
Works great for e-mail encryption too You can add another certificate to the Yubikey for the purposes of encryption. Outlook integrates well with this. When used with a publicly signed certificate, you can send encrypted e- mail to anyone you have a corresponding certificate for. Let s you securely take your key with you and authenticate with 2-factor.
Start off by getting a Personal Digital Certificate UITS has a page offering this service. https://it.arizona.edu/documentation/client-personal-digitalcertificates-smime You will get a certificate signed by RSA InCommon delivered to your Stache account. This also works with any other public key service offering PDCs.
Copy the private key from Stache and import Yubico has a tool called the Yubikey PIV Manager that allows you to generate, import, and manage certificates. Import the certificate in to the Key Management slot.
Set a PIN Despite the name can be alphanumeric, 6-8 characters, however usually they are numerical only for compatibility.
Setup Outlook to use the certificate UITS has directions on confluence https://confluence.arizona.edu/pages/viewpage.action?pageid=3017985 4
And encrypt! Your Yubikey will be required when decrypting or signing e-mails, since the public key is stored only on it. Windows will ask for your PIN to use the private key. You can securely take your private key with you, and use it on other systems. Only works in the Outlook program, not OWA, for the moment.
Conclusion Yubikeys are more flexible than many people know. A great way to get 2-factor authentication for a large number of personal and enterprise accounts. Good for end users and IT staff alike.
Questions?