Secure All The Things Using a Yubikey for 2-Factor on (Almost) All Your Accounts. Jesse Stengel The University of Arizona

Similar documents
YubiKey PIV Manager User's Guide

YubiKey Mac Operating System Login Guide

Deprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

YubiKey Smart Card Deployment Guide

Yubico with Centrify for Mac - Deployment Guide

YubiKey Smart Card Deployment Guide

Accessing the Curriculum Management System Off-campus Process for obtaining and installing a CMS certificate on a home Mac

Anvil: HCC's Cloud. June Workshop Series - June 26th

Key File Generation. November 14, NATIONAL STUDENT CLEARINGHOUSE 2300 Dulles Station Blvd., Suite 220, Herndon, VA 20171

SOF U OUTLOOK WEB ACCESS (OWA) AND SSL VPN HOME USERS MANUAL

YUBIKEY AUTHENTICATION FOR CYBERARK PAS

SSH PK Authentication and Auto login configuration for Chassis Management Controller

Hardening PGP using GnuPG and Yubikey

What is Secure. Authenticated I know who I am talking to. Our communication is Encrypted

YubiKey Personalization Tool. User's Guide

YUBIKEY SET-UP AND USE

User authentication:

FEPS. SSH Access with Two-Factor Authentication. RSA Key-pairs

Cryptography Application : SSH. Cyber Security & Network Security March, 2017 Dhaka, Bangladesh

School of Computing Science Gitlab Platform - User Notes

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

Security PGP / Pretty Good Privacy. SANOGXXX July, 2017 Gurgaon, Haryana, India

Cryptography: Practice JMU Cyber Defense Boot Camp

Congratulations! You just ordered IdentaMaster software package featuring Biometric login, File/Folder Encryption and Entire Drive Encryption.

Note: It is highly recommended that users pre enroll while at work by going to

epass FIDO -NFC PRODUCT MANUAL

Using HyperFIDO with Facebook

FIPS SECURITY POLICY FOR

Immersion Day. Getting Started with Linux on Amazon EC2

Software Token Enrollment: SafeNet MobilePASS+ for Apple ios

CipherMail encryption. CipherMail white paper

2. GETTING STARTED A. Secure File Transfer Protocol Procedures

LAB :: PGP (Pretty Good Privacy)

Symantec Encryption Desktop

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

Interface. Circuit. CryptoMate

2. GETTING STARTED SECURE FILE TRANSFER PROTOCOL (SFTP) PROCEDURES A. Secure File Transfer Protocol (SFTP) Procedures

Secure Authentication

SSH. What is Safely 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

This guide provides all of the information necessary to connect to MoFo resources from outside of the office.

Application Note. Configuring SSH on Vocality units. Software From V07_04_01. Revision v1.5

Xceedium Xsuite. Secured by RSA Implementation Guide for 3rd Party PKI Applications. Partner Information. Last Modified: February 10 th, 2014

AT&T Global Network Client for Mac User s Guide Version 2.0.0

BEST PRACTICES FOR PERSONAL Security

Due: October 8, 2013: 7.30 PM

Who What Why

2-1-1 ssh Secure SHell

Auburn Montgomery AUM Wi-Fi. Windows 7. User s Guide & System Documentation

The Rockefeller University I NFORMATION T ECHNOLOGY E DUCATION & T RAINING. VPN Web Portal Usage Guide

ssh and handson Matsuzaki maz Yoshinobu 1

Configuring SSH Public Key Authentication

SecureFactors. Copyright SecureFactors Corp ver 1.0a

FIPS Security Policy. for Marvell Semiconductor, Inc. Solaris 2 Cryptographic Module

Security: Focus of Control. Authentication

Certificate Enrollment for the Atlas Platform

OVERVIEW... 3 WHAT'S NEW... 3 COMPATIBILITY WITH MDM PRODUCTS... 5 CONFIGURE AN MDM MANAGED VPN PROFILE FOR CITRIX SSO... 5

Pulseway Security White Paper

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for Web Access Management with Multifactor Authentication

Owner of the content within this article is Written by Marc Grote

STRS OHIO F5 Access Client Setup for ChromeBook Systems User Guide

Citrix SSO for ios. Page 1 18

Enterprise Services. Activation of the Enterprise Services

Barracuda Networks SSL VPN

DIGIPASS SecureClick User manual

Mac OS X version 10.6 and Below for Students

Cryptography Application : SSH. 7 Sept 2017, Taichung, Taiwan

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Cryptography and Network Security

CoSign Hardware version 7.0 Firmware version 5.2

Johns Hopkins

Attacking Your Two-Factor Authentication (PS: Use Two-Factor Authentication)

Flex Linux Masternode with Windows Cold Wallet

YubiHSM 2 for ADCS Guide. Securing Microsoft Active Directory Certificate Services with YubiHSM 2

3.1 Getting Software and Certificates

Secret Server Frequently Asked Questions

Security: Focus of Control

Using HyperFIDO with a GitHub Account or GitHub Enterprise Account

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

stickapp anti-virus password manager vpn client free Security & Productivity Apps for SafeStick stickapps.co.uk

Cryptography - SSH. Network Security Workshop May 2017 Phnom Penh, Cambodia

Ciphermail Gateway PDF Encryption Setup Guide

Cisco Systems, Inc. IOS Router

Cryptography - SSH. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Clientless SSL VPN Overview

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

Apple 9L Security Best Practices for Mac OS X v

SECURING YOUR BUSINESS INFRASTRUCTURE Today s Security Challenges & What You Can Do About Them

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Guardium UI Login using a Smart card

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Immersion Day. Getting Started with Linux on Amazon EC2

Creating a Yubikey MFA Service in AWS

AT&T Global Network Client for Mac User s Guide Version 1.7.3

ISA 2006 and OWA 2003 Implementation Guide

USER GUIDE WWPass Security for (Thunderbird)

WHITE PAPER. Authentication and Encryption Design

VPN/RDP Laptop and Workstation Usage instructions:

Transcription:

Secure All The Things Using a Yubikey for 2-Factor on (Almost) All Your Accounts Jesse Stengel The University of Arizona

What is a Yubikey? Yubikeys are small USB devices made by Yubico for doing various kinds of two-factor authentication using a secure element. They (currently) come in six varieties.

What can I use them for? Just about everything, including: U of A VPN Gmail (and all Google services) Dropbox Github Your personal laptop SSH Windows domain login And many more

More flexible than most people think Most people know Yubikeys for their OTP mode but the current products (Yubikey 4 and Neo) actually have four separate modes: OTP/HMAC U2F PGP/GPG NIST 800-73 PIV Smart Card

OTP: The mode you probably know OTP (One-time Password) mode was what Yubikeys started with, and is still widely used. You push the button, it spits out a one time password. It can be used for things such as VPN/Duo authentication on campus, when set up per UITS guide.

HMAC-SHA1: More functionality in OTP mode The basic Yubikey mode includes two OTP slots. However you can configure them not only for OTP login, but for HMAC-SHA1 challenge/response, using the Yubikey Personalization Tool.

This enables 2-factor login on a standalone system By programming in a secret key and using Yubico s Windows Login Tool you can require a key to be inserted, in addition to a password for any local account you choose. https://www.yubico.com/support/know ledge-base/categories/articles/useyubico-windows-login-tool/

Works like regular login but requires a Yubikey

U2F: Zero-configuration security for the web U2F (Universal 2 Factor) is a FIDO standard created by Yubico, Google and NXP that allows you to use one key to securely add 2-factor authentication across all supported websites. Supported on all Yubikey 4s and Neos, and also available from other vendors. Requires no user or IT configuration, just insert and go. Works with an increasing number of sites like Google, Facebook, Dropbox and Github.

Easy to set up Just add the key to your account:

Login as normal

and then insert your key

It s that easy! Precise interface varies service by service but they are all simple. No setup, no key exchange. Since keys aren t stored, no limit on number of sites. On the web, currently only works in Chrome.

PGP/GPG: Old-school encryption on a new device Yubikeys have full support for the OpenPGP standard, allowing them to store PGP keys for authentication, encryption and signing on a Yubikey itself. Private keys are stored on the secure element, in write-only mode, protected with a PIN or passphrase. Public keys are made available to the system when you plug in the Yubikey. Lets you securely transport your PGP keys with you anywhere.

Works with almost anything PGP/GPG Fully integrates with the open source GPG2, which is included in most Linux distributions and available for Windows as GPG4Win. Also integrates with the commercial Symantec PGP. Can be used to do 2-factor login via SSH on Linux, though it is a bit flakey.

A bit fiddly to work with though To do any management of keys you have to use the command prompt for gpg:

NIST 800-73 PIV: A Smart Card for your keychain All Yubikey 4s and Neos function as an integrated smart card reader and smart card with full support for all PIV features that let you do anything you can do with a normal smart card including: 2-factor Active Directory authentication 2-factor SSH authentication 2-factor U of A e-mail encryption/signing

Active Directory has full 2-factor built in AD is ready to go for 2-factor auth without any additional schema expansions or changes. 2-factor authentication is not mutually exclusive with password authentication, you can use both, or set it on a per user or system basis. Requires an Active Directory Certificate Authority, which is a bit complex to set up. Yubico has more information here: https://www.yubico.com/wpcontent/uploads/2016/03/yubikeypivdeploymentguide_march25_201 6_FINAL.pdf

Smart Card login in action

Works everywhere you need a password Not just for local system login, works for: Shares Domain join RDP Passes through RDP sessions by default, so you can use it at any layer.

RDP-to-RDP login

Use the same certificate for SSH 2-factor Most SSH servers support authentication using SSH keys which is a public/private keypair. Works on Linux, BSD, many network switches routers, etc. The same key slot used for AD logon works great for that as well. When used from the Yubikey, it is portable, secure and 2-factor. All you need is a modified version of Putty called Putty CAC available here: https://github.com/nomorefood/putty-cac/releases

Using Putty CAC to get the SSH key Putty CAC can generate the SSH key string you need for you. Just choose the CAPI certificate you want to use, and pick Copy to Clipboard.

Paste the key in to the SSH keys file/config On Linux, usually a file in the.ssh directory. On network equipment usually a command you issue. Here s an example from a Dell N2000 switch:

2-factor login with Putty CAC

Works great for e-mail encryption too You can add another certificate to the Yubikey for the purposes of encryption. Outlook integrates well with this. When used with a publicly signed certificate, you can send encrypted e- mail to anyone you have a corresponding certificate for. Let s you securely take your key with you and authenticate with 2-factor.

Start off by getting a Personal Digital Certificate UITS has a page offering this service. https://it.arizona.edu/documentation/client-personal-digitalcertificates-smime You will get a certificate signed by RSA InCommon delivered to your Stache account. This also works with any other public key service offering PDCs.

Copy the private key from Stache and import Yubico has a tool called the Yubikey PIV Manager that allows you to generate, import, and manage certificates. Import the certificate in to the Key Management slot.

Set a PIN Despite the name can be alphanumeric, 6-8 characters, however usually they are numerical only for compatibility.

Setup Outlook to use the certificate UITS has directions on confluence https://confluence.arizona.edu/pages/viewpage.action?pageid=3017985 4

And encrypt! Your Yubikey will be required when decrypting or signing e-mails, since the public key is stored only on it. Windows will ask for your PIN to use the private key. You can securely take your private key with you, and use it on other systems. Only works in the Outlook program, not OWA, for the moment.

Conclusion Yubikeys are more flexible than many people know. A great way to get 2-factor authentication for a large number of personal and enterprise accounts. Good for end users and IT staff alike.

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback