16 comments

[ 3.2 ms ] story [ 12.6 ms ] thread
This is a good description of the Yubikey advantage. However, now that Authenticator apps are making it easier (and less secure) for you to move your secrets to new devices, this only underscores your need to register at least two Yubikeys in each place where you use TOTP, and don't forget those paper backup codes as well.

TOTP (and other) secrets will never come out of a Yubikey once they've been sent into it. And I like it that way.

To avoid this 2:n issue, I make 2 yubikeys that are clones of each other, and leave one in a secure location at all times. The sites cant tell the difference apart from serial number
How do you make clones of a yubikey? Is this normal functionality I've missed or a hack?
Most likely they just mean that every time they register a new account, they get their backup yubikey out and add the account to it too

It's not possible to clone yubikeys

That's fine, but you can't keep them identical for long, because eventually you need to add/delete/update an account or a secret. So you're perpetually rotating that one in a secure location, and if your accounts have enough churn, it's a chore.
Can you dd one Yubikey to another?
At setup time, yes.

https://support.yubico.com/hc/en-us/articles/360016614880-Ca...

Look at the "few exceptions" section

If you grab a TOTP secret at setup time, you can do whatever you please with it, but this is of course extremely perilous, because access to the secret equals full control of that factor. The Yubikey's one-way storage is trying to save you from that danger.

So one strategy for maintaining multiple authenticators or yubikeys would be to save all the secrets away and call them up when it's time to load up the alternate factor.

What I do is register both keys at the same time, one after the other so the QR code doesn't leave my screen. Can't do it this way if the one key is in cold storage, of course.

> Can you dd one Yubikey to another?

If you're referring to the Unix tool "dd" the answer is unambiguously no; zen_1 misunderstood you.

No data comes out of the Yubikey except answers to the cryptographic queries. There's no storage to dd.

The only way to clone secrets is to grab them before they go in and save them elsewhere. That's what we mean by "time of setup" or "time of programming" is when putting a new secret in, not like initial setup of the device.

Moving from Google authenticator to another application is extremely simple.

I don't know why the author has so much trouble transferring 2FA. You take a picture of a QR code and it's all done for you. (This is also a good way to backup your tokens on a different device)

With that being said I love my yubikey and want to try this app.

Storing the text version of the QR code is the easiest, and its how bitwarden stores the 2FA anyway....
There is an extra wrinkle, too:

Many MFA implementations will not allow you to register more than 1 TOTP authenticator, and so that is why I typically use the trick of registering both Yubikeys simultaneously. If you wish to register another, the service will often require you to deactivate MFA and set it up from scratch, which de-registers the original one. I think this is probably mandatory, due to the way the secrets work. There's no way a service can safely store such a secret on-site, because this would defeat the purpose.

So in fact, if your alternate key/auth is offsite, then you're actually forced to manage your own secrets in order to properly register all affected devices.

You can have BitWarden or another password manager manage those secrets for you, but you've just reduced your MFA to 1FA, because obviously that's where you store your passwords. In fact, revealing a TOTP secret is more damaging than revealing a simple password. But, you do you...

It wasn't always this way.

Google Authenticator used to be much more secure. That is to say, it closely guarded all the secrets and they never left the app.

Unfortunately they had to bend to pressure of convenience for users, and that meant that now you can extract the secrets and push them around to your heart's content. That also means that an attacker can do likewise, or intercept them in transit, and so you lose the safety of a security key that is a "roach motel" for secrets.

I don't know about the author, but it seems there are still problems with secret portability. If your phone breaks, or it's stolen, and you have no access to the app, how're you going to export your secrets now?

The other cool thing about Yubikeys is that they're purpose-built, inexpensive, single-purpose. I don't want to be using my phone as a Swiss Army Knife authenticator. That's way too risky and dumb. It has a huge attack surface. Any malware could get at the phone. Plus all the risks of loss, breakage, or theft. A key can stay safe on my keyring and is "nearly indestructible" and it does only that one thing very well.

I don't know if it's still the issue, but even the yubikey has its limits. It's a max of (from memory) 32 2fa codes. Which seems a lot but isn't really
Oh wow, 32 isn’t a lot.