2

I have a Yubikey 5, I can store a PGP key inside, it has OTP abilities, FIDO, NFC, etc... Which is great for a device like this.

First of all, I understand how a smart card is more secured than an app/sms based OTP for instance, but seeing how the market is doing, I don’t get why it’s still considered more secured.

2FA means adding a second factor, which can be your mobile for SMS OTP, an OTP device (like RSA tokens), a USB key, and so on. Currently, almost all these solutions relies only on the fact that you own this object and nothing else (this is the case for Yubikeys and SMS OTPs), and app based OTPs now include an authentication to be launched, which makes it more secured. But without this authentication layer, a mobile is still less easy to lose than a tiny USB key. And why would a tiny USB key, advertised as being made to stay plugged in your computer forever makes it more secured at all?

I mean, if your laptop is stolen, and your thief happens to have your credentials, well, your smart card doesn’t authenticate you so it adds no security at all then, but so will be the app OTP as a thief could also have your pin code.

Anyway, seeing I find app based OTP more secured than key based today, which are more secured than portable always on tokens like RSA’s, not because of their design but because of how they’re used today. Am I right?

Max13
  • 195
  • 8
  • "First of all, I understand how a smart card is more secured than an app/sms based OTP for instance" please explain this as it's not apparent to me why something like a Yubikey is more secure than Google's Authenticator app. – northerner Aug 27 '21 at 07:41
  • @northerner I found the answers quite complete, but here is a quick summary. An OTP is fishable (an app can be broken if a mobile phone is jailbroken, apps can read SMS, and it can even appear on a screen while live streaming for instance). FIDO derives a key for each website, it's impossible to dump a key. Except when stolen, between OTP and FIDO, FIDO is by far more secure. – Max13 Aug 27 '21 at 17:11
  • So basically you're saying a FIDO is more secure than OTP because it can't be phished since it doesn't require human interaction? – northerner Aug 29 '21 at 09:30
  • @northerner Yes, basically, it can't be compromised. At least, that's what I understood reading all the answers – Max13 Aug 29 '21 at 23:56
  • IMHO that's a pretty weak reason as if someone already knows about phising they probably won't fall for it. – northerner Aug 30 '21 at 23:49
  • @northerner Your statement is true "when someone is aware of…", but it's not absolute. An advanced power user would have equivalent security with OTP and FIDO/U2F. An average user would, at worst, have BETTER security with a device token. – Max13 Aug 31 '21 at 00:03

3 Answers3

3

One of your main points is valid: if the USB key is stolen with your device, it may still be game over if other credentials are known. Personally, I am not concerned about loss or theft of the USB token, since it doesn't really weaken security if used as a second factor, plus access can be revoked and some features may require a PIN.

However, the USB token is superior to a phone in that it cannot be compromised remotely and have its secrets dumped. Also, FIDO2 provides a layer of protection against phishing attacks that OTP simply cannot provide.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
  • Speaking of getting stolen, is there any features that prevent lock out in the case of having the USB key stolen? If someone lost the USB key, how could they get in again? – northerner Aug 29 '21 at 09:52
  • @northerner you can usually have multiple physical USB keys enrolled. In the case of GPG keys, the same key can be installed on multiple physical devices. Websites may offer alternate or backup means besides the key. – multithr3at3d Aug 30 '21 at 02:46
  • @northerner Multiple keys are the most common case IMO because you can request to the machine, an embedded device, a removable device, or either. In my case, I have 2 yubikeys (Nano always attached to my mac and a USB A) AND 2 embedded devices (FaceID on my iPhone, Touch ID on my mac). I registered the 4 of them when possible. – Max13 Aug 31 '21 at 00:08
  • I'm a bit confused how exactly this work. I thought the key comes from the USB key? I can you can register two distinct USB keys to work for the same account? – northerner Aug 31 '21 at 00:09
  • @northerner sorry, I was discussing different mechanisms. Most USB keys support installing GPG keys on them, for encryption/signing, SSH, etc. In that case, the key comes from somewhere else. But otherwise, crypto keys are generated on the device and never leave it. All websites I've used will allow you to enroll multiple keys. – multithr3at3d Aug 31 '21 at 11:54
1

As per me you are absolutely correct. The whole presumption of the usb based 2fa key is based on the fact that you own the key. There are however reasons from my point of view why usb based key is in vogue:-

  1. These usb based keys are mostly used by or mostly meant for system administrators/devs/devops and the likes whose daily jobs include logging into various sytems, servers, cloud instances etc.

  2. Keeping point 1 in mind imagine having to open your phone everytime you need to login to a server. That is why usb based key is used to provide the servers/systems that additional based security

  3. Also now-a-days the keys are so small that they remain attached to your pc, laptop and no one takes it out of the slot, so losing it becomes a bit difficult.

BoredToolBox
  • 57
  • 5
0

Two-factor authentication usually means adding something you have, like a phone, laptop, or token, or something you are, like a biometric measurement, in addition to something you know, like a password.

The primary benefit of a security key like a U2F or FIDO2 device over a TOTP password is phishing protection. These devices, when used with a web browser, receive the true URL from the browser itself and include it as part of the material when generating the signature. Therefore, assuming the attacker cannot compromise the web browser or the legitimate web site, it's not possible for them to phish the digital signature made by these devices, since a signature entered for a phishing domain would not be valid for the original domain.

Security keys are also typically designed to be at least tamper resistant. That means that the keys can't be duplicated or compromised, and as a result, attackers really have to have the physical device to use them. It is, of course, possible to steal them, either as part of the laptop or otherwise. But it is also very easy to steal a phone someone has carelessly left unattended. The risk of theft is the same regardless. And in many cases, the security key can require a PIN for various purposes, providing some resistance against misuse in case of theft.

TOTP credentials do have the benefit that they can be backed up and easily transferred to a new device. That makes them less secure, but also more convenient. For this reason, I generally enroll both on my account, and primarily use my YubiKey, leaving the TOTP as a backup in case something goes wrong.

bk2204
  • 7,828
  • 16
  • 15
  • Isn't it counter productive to have both TOTP and U2F/FIDO on an account? If we consider TOTP as phishable, stealable, etc… Then you account just have another security but is still as much vulnerable as without U2F, isn't it? – Max13 Apr 12 '21 at 14:12
  • It lessens the security slightly, but not much. I won't use the TOTP except as a backup in a situation where I don't have my YubiKey, which is almost never, so the risk is very low. It is, in this sense, a 2FA recovery code. – bk2204 Apr 12 '21 at 22:25
  • I totally agree and that’s also what I do. But “lessen” wasn’t the word, I more wanted to say “doesn’t strengthen” it. Anyway thanks for the answer – Max13 Apr 12 '21 at 22:44