03 October 2018
    Tags: security 

    I have recently purchased some FIDO U2F keys and have attempted to do two factor that right way. Unfortunately it did not work out like I expected. That said, it has been an overall positive experience.

    The hardware

    I ended up buying the Feitian ePass FIDO-NFC Security Key because it did exactly what I needed and did not cost too much. Yubikey was my first choice but I did not want to pay the Yubikey price and did not need some of the extra features. Unfortunately a good number of sites only support Yubikeys so they might be worth the extra money because they are the most supported.

    The worst

    Many sites still force you to have SMS as an alternate factor. A security key is a nice option but SMS codes can be stolen and SIMs can be cloned. There have also been several low tech attacks on SMS, like tricking a carrier into porting a number to an attacker's SIM. A FIDO option is nice but a determined attacker will just attack the weakest point, which is the SMS backup code. So sites adopting this model make FIDO kind of pointless.

    The better

    Some sites let you disable SMS but still require a TOTP app as a backup option.

    This isn't terrible because you at least have a backup option and phishing attacks will be a little more obvious when you are not prompted for your key or you are asked for your code when your key should have worked. Most security conscious users will be OK with this model but there is a security gap for any organisation hoping to eliminate phishing attacks amongst their less tech savvy users.

    The good

    Google accounts seem to have the best support. It was a bit tricky to get it working correctly. At first I could not disable the non-FIDO options. The trick is to completely turn off two factor. Then turn it back on and only register your FIDO key (I registered two so I always have a backup). That's it, now you have only FIDO as a two factor option. It works natively in Google Chrome and on Android if you install the Google Authenticator app.

    Too good

    Google advanced protection is for people who have real security concerns e.g. politicians, activists, journalists etc. It offers very strong protection by enforcing only FIDO keys and restricting your Google Drive and G-Mail to only approved apps. The ironic thing is that I use Cryptomator to encrypt files that I want to protect on my Google Drive.

    So I unfortunately had to disable this feature to access my encrypted cloud storage on my Android phone. I like Google but I don't trust them fully (nothing personal), even good companies can have unexpected security breaches. The Google Advanced Protection Program is worth enrolling in if you can live without 3rd party mail and drive apps.

    The annoying

    One of my banks and AWS only accept Yubikeys. I understand that there might be some technical reasons for this. That can be forgiven in the short term but it makes little sense in the long term because the U in U2F stands for universal.

    Another reason I suspect is that Yubikeys are not keyed in China. Yubico says they are keyed in the US or Sweden. That sounds logical at first but the whole NSA / Edward Snowden thing makes me slightly suspicious of most western governments too.

    I completely understand adopting this kind of policy for government or corporate users but the average consumer should be free to make their own judgement call regarding their key vendor.

    The unfortunate truth is that Yubikeys are most likely your best option and worth paying slightly more for because they are supported by more companies.