(DIY) USB Security Keys?
125 views
Skip to first unread message
Michael L
Aug 24, 2021, 7:09:19 AM8/24/21
to nlug...@googlegroups.com
I have a couple of sensitive logins which I need to keep secure online and offline. I see multiple USB devices from about $10 and up. I also see Google OpenSK and Predator DIY results.
Does anyone have a recommendation?
Thanks everyone
Kent Perrier
Aug 24, 2021, 10:52:31 AM8/24/21
to nlug-talk
Do you mean something like a DIY Yubi key?
--
--
You received this message because you are subscribed to the Google Groups "NLUG" group.
To post to this group, send email to nlug...@googlegroups.com
To unsubscribe from this group, send email to nlug-talk+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
---
You received this message because you are subscribed to the Google Groups "NLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nlug-talk+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CALdmzXZM9KizB9jj6mgORek5W6NAQ%2BF3-fJ%3Dc04ov%3DNJAiD0wg%40mail.gmail.com.
Tilghman Lesher
Aug 24, 2021, 11:08:42 AM8/24/21
to NLUG
I would suggest configuring PAM to use one of the myriad 2 factor
authentication schemes, preferably one that isn't tied to a hardware
key. For example, you can use a Google Authenticator scheme with an
app like Authy, which will allow you to authenticate with multiple
devices -- useful if you lose or temporarily misplace one of them.
Authy will also work as a Chrome App -- just make sure that you only
put it on devices that you can keep secure.
https://hackertarget.com/ssh-two-factor-google-authenticator/
Tilghman
authentication schemes, preferably one that isn't tied to a hardware
key. For example, you can use a Google Authenticator scheme with an
app like Authy, which will allow you to authenticate with multiple
devices -- useful if you lose or temporarily misplace one of them.
Authy will also work as a Chrome App -- just make sure that you only
put it on devices that you can keep secure.
https://hackertarget.com/ssh-two-factor-google-authenticator/
> --
> --
> You received this message because you are subscribed to the Google Groups "NLUG" group.
> To post to this group, send email to nlug...@googlegroups.com
> To unsubscribe from this group, send email to nlug-talk+...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups "NLUG" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to nlug-talk+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CALdmzXZM9KizB9jj6mgORek5W6NAQ%2BF3-fJ%3Dc04ov%3DNJAiD0wg%40mail.gmail.com.
--
> --
> You received this message because you are subscribed to the Google Groups "NLUG" group.
> To post to this group, send email to nlug...@googlegroups.com
> To unsubscribe from this group, send email to nlug-talk+...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups "NLUG" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to nlug-talk+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CALdmzXZM9KizB9jj6mgORek5W6NAQ%2BF3-fJ%3Dc04ov%3DNJAiD0wg%40mail.gmail.com.
Tilghman
Michael L
Aug 24, 2021, 11:59:50 AM8/24/21
to nlug...@googlegroups.com
I'd go for DIY Yubi unless Yubi is just plain and simple so good that it's worth the price.
I need to secure an online login that I can't really afford to get hacked.
To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CA%2B6_KC-gW2YH07B3zMazhLWj0w%3DmhbjJoFRWjOJHboASMSVM5Q%40mail.gmail.com.
Michael L
Aug 24, 2021, 12:04:16 PM8/24/21
to nlug...@googlegroups.com
That's another important reason why I'm asking: when my Pixel LCD became unusable, I couldn't login.
Glad again I asked.
To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CAHPkZcUKJeOsCzFRP1sVJ5kcVoSxech68NJmpvvb_hS_EsXnsw%40mail.gmail.com.
Tilghman Lesher
Aug 24, 2021, 1:48:38 PM8/24/21
to NLUG
There are multiple reasons why I'm not fond of hardware keys like that:
The first I've already mentioned. If it's lost or misplaced, you've
just lost your way of getting into the system.
Second is the form factor. It's a USB A connector, which is fine when
you're sitting at a desktop or a laptop that you own. What happens if
you need to get into the machine, and the only thing you have is a
cellphone or tablet, which likely doesn't have a USB A port? Do you
keep a selection of dongles with you to make it fit? Or are you SOL?
And if you're at a machine that you don't own, they may well either
prevent you from accessing the USB port or have severe restrictions on
what a USB device plugged in can be. For example, it might be limited
to ONLY a mass storage device and not a USB keyboard. If that's the
case, the Yubikey won't work.
Third, while the Yubikey is powered off the device to which it's
connected, and that's a nifty workaround to this problem, a lot of
hardware keys have a sealed battery. That battery cannot be replaced,
because the device will self-destruct (by design) if you try to open
it up. So you're only good for as long as the battery life lasts.
All that said, you also want to avoid using SMS as your second factor
authentication, because the telecom network is not secure. If an
attacker knows your phone number, they could attempt to steal your
number and receive your SMS codes. While the telecoms have tried to
close this security hole, in many cases, it's an insider attack, which
can't be easily stopped without completely destroying number
portability.
> To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CALdmzXY3mqhw4W8CO%3D9c5vjEumuoYxvE6A4L3tiQ4704o1h5pQ%40mail.gmail.com.
--
Tilghman
The first I've already mentioned. If it's lost or misplaced, you've
just lost your way of getting into the system.
Second is the form factor. It's a USB A connector, which is fine when
you're sitting at a desktop or a laptop that you own. What happens if
you need to get into the machine, and the only thing you have is a
cellphone or tablet, which likely doesn't have a USB A port? Do you
keep a selection of dongles with you to make it fit? Or are you SOL?
And if you're at a machine that you don't own, they may well either
prevent you from accessing the USB port or have severe restrictions on
what a USB device plugged in can be. For example, it might be limited
to ONLY a mass storage device and not a USB keyboard. If that's the
case, the Yubikey won't work.
Third, while the Yubikey is powered off the device to which it's
connected, and that's a nifty workaround to this problem, a lot of
hardware keys have a sealed battery. That battery cannot be replaced,
because the device will self-destruct (by design) if you try to open
it up. So you're only good for as long as the battery life lasts.
All that said, you also want to avoid using SMS as your second factor
authentication, because the telecom network is not secure. If an
attacker knows your phone number, they could attempt to steal your
number and receive your SMS codes. While the telecoms have tried to
close this security hole, in many cases, it's an insider attack, which
can't be easily stopped without completely destroying number
portability.
--
Tilghman
Michael L
Aug 24, 2021, 2:24:35 PM8/24/21
to nlug...@googlegroups.com
I just heard of SMS mirroring, which is good if we want to do that, but not so good if a hacker can mirror someone else's SMS and bypass 2FA. What you're describing sounds more like what I'm looking for instead of a specific hardware device. Mange Tak.
To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CAHPkZcUgcpuReTjv9rg%2B5EMPcT3wNyodWQo5paxqo47fQ5xgcQ%40mail.gmail.com.
Paul Boniol
Aug 24, 2021, 3:13:45 PM8/24/21
to NLUG
I agree with Tilghman, but would add there are NFC versions of Yubikey's (still without battery), and USB-C connector (which may or may not attach to your phone). If supported, it could be added as a backup authentication method, but I don't recommend using them as the primary method. (Left it at home, fell out of your bag, got eaten by a toddler, you never know.)
Paul
On Tue, Aug 24, 2021 at 12:48 PM Tilghman Lesher <tilg...@meg.abyt.es> wrote:
To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CAHPkZcUgcpuReTjv9rg%2B5EMPcT3wNyodWQo5paxqo47fQ5xgcQ%40mail.gmail.com.
Kent Perrier
Aug 24, 2021, 3:44:47 PM8/24/21
to nlug-talk
IIRC, the Yubi folks do recommend getting two, and using the second one as the backup authenticator in case the primary is lost/broken/etc. Put in a safe/safety deposit box for safe keeping.
To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CAL9PgS1FESoMxXfb-e8Jdg8RqzG9yHyh%2BOwrSWr4WyKk_w8w_Q%40mail.gmail.com.
Michael L
Aug 24, 2021, 6:15:35 PM8/24/21
to nlug...@googlegroups.com
Thank you everyone for the excellent info. I'm glad I asked.
To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CA%2B6_KC8etEXfbhAPxKR89zDd1k7GdMgVp0_Xn8Do81Fgc%3Dj%3DUg%40mail.gmail.com.
Brandon Bradley
Aug 26, 2021, 3:00:15 PM8/26/21
to nlug...@googlegroups.com
YubiKeys are on sale today, FYI.
To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CALdmzXbPRGoQY75eUy0Go55cpTSajF7FXnQvR1Uu%3DtRNASXL%3DQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages