Lost Yubikey

[Daria]

Ijust received my YubiKey and was playing with it. It works brilliantly but I couldn't help thinking what would happen if I would lose the key. Well, for Google you can print out some backup codes, so that's covered. But then I wanted to simulate a lost key for Amazon AWS. Apparently there is a page that allows you to troubleshoot your MFA key, see screenshot:

However, in case of a lost YubiKey, I would now click cancel or press escape. Next, the screen quickly changes and the "Troubleshoot MFA" link is not present anymore! In addition, I can't click on it when the message pops up.

The only general answer to this is probably that you will need to contact the support team for the respective site. Different companies will likely have different policies and procedures on how to carry out account recovery.

Reading the AWS Docs I do notice that they only allow one Key per account. One solution would be to authorize a 2nd Account, using your 2nd key, for that VM. Perhaps the root user gets the "backup" key you keep in a safe while you use a delegated account and your daily key for "normal" work...

We hope that you will not lose your YubiKey, but for larger deployments and serious use, establishing processes around lost YubiKeys is an important and challenging aspect. Yubico has offered the YubiRevoke service to help with this aspect, which is a centralized way to disable YubiKeys validated through the YubiCloud. Initially we thought this was a natural part of a YubiCloud service. The more we have worked with customers to establish and recommend practices around use and deployment of YubiKeys, though, we have come to reconsider this recommendation. We have realized that a centralized service for revoking a YubiKey often leads to deployments that are ineffective to use for administrators, and it introduces a new set of security considerations for deployments.

For systems that use YubiKeys validated through the YubiCloud, the standard pattern is to setup a service that performs authentication using username, usually a password, and a Yubico OTP. These systems usually have an administrative interface, of varying level of sophistication, for managing users. Technically the system performs authentication by validating the username and password, and then validates the Yubico OTP against the YubiCloud to achieve two-factor authentication. For example, the system may be as simple as a WordPress blog with the YubiKey plugin, or Unix (typically Mac or GNU/Linux) login using the PAM module. The WordPress system has its user management interface, and Unix has its own user management and configuration interface. When a YubiKey is lost, to regain access to the system, the administrator has to provide a mechanism for users to associate a new YubiKey, or at least temporarily disable two-factor authentication. When YubiRevoke is used, customers sometimes end up implementing procedures for administrators to disable the YubiKey in both systems, which is inefficient.

For the reasons above, Yubico is planning to decomission our YubiRevoke service on the 1st of October 2014. We advise customers to simplify their processes around revocation to not involve the YubiRevoke service. We will disable new YubiRevoke account registration on June 13th 2014, and disable adding new Yubikeys to existing accounts on the 1st of August 2014. Please find below a quick FAQ around this.

Q: If I lose my YubiKey what should I do?

A: You should login to the sites where you used the YubiKey on and change the account settings to use your replacement YubiKey instead.

Some weeks ago I lost my purse with everything in there, from residency card, driving license, credit cards, cash cards, all kind of ID cards, and last but not least my Yubikey NEO. Being Japan I did expect that the purse will show up in a few days, most probably the money gone but all the cards intact. Unfortunately not this time. So after having finally reissued most of the cards, I also took the necessary procedures concerning the Yubikey, which contained my GnuPG subkeys, and was used as second factor for several services (see here and here).

All of that is quite straight-forward: Use gpg --expert --edit-key YOUR_KEY_ID, after this you select the subkey with key N, followed by a revkey. You can select all three subkeys and revoke them at the same time: just type key N for each of the subkeys (where N is the index starting from 0 of the key).

The most tricky part was setting up and distributing the keys on my various computers: The master key remains as usual on offline media only. On my main desktop at home I have the subkeys available, while on my laptop I only have stubs pointing at the Yubikey. This needs a bit of shuffling around, but should be obvious somehow when looking at the previous blogs.

The last step was re-registering the new Yubikey with all the favorite services as second factor, removing the old key on the way. In my case the list comprises several WordPress sites, GitHub, Google, NextCloud, Dropbox and what else I have forgotten.

Although this is the nearly worst case scenario (ok, the main key was not compromised!), everything went very smooth and easy, to my big surprise. Even my Debian upload ability was not interrupted considerably. All in all it shows that having subkeys on a Yubikey is a very useful and effective solution.

What happens if you lose your YubiKey? You should have backup methods to regain access set up in case you lose your key. This can be an authenticator app on your smartphone or a set of printed one-time recovery codes.

If you have already lost your YubiKey, do not panic. Many services and websites will still have a verification process to allow you to verify your identity to regain access. Read and understand what verification steps are in place for the service or website that you have enabled your lost YubiKey on.

Kernel Afrika is a cyber security company with a focus on solutions that help mitigate risk and threats to organisations. Our offering includes services, hardware and training that help businesses deal with cyber threats.

If your virtual MFA device or hardware TOTP token appears to be functioning properly, but you can't use it to access your AWS resources, it might be out of synchronization with AWS. For information about synchronizing a virtual MFA device or hardware MFA device, see Resynchronizing virtual and hardware MFA devices. FIDO security keys do not go out of sync.

If your AWS account root user multi-factor authentication (MFA) device is lost, damaged, or not working, you can recover access to your account. IAM users must contact an administrator to deactivate the device.

We recommend that you enable multiple MFA devices for your IAM users to ensure continued access to your account in case of lost or inaccessible MFA device. You can register up to eight MFA devices of any combination of the currently supported MFA types with your AWS account root user and IAM users.

If your AWS account root user multi-factor authentication (MFA) device is lost, damaged, or not working, you can sign in using another MFA device registered to the same AWS account root user. If the root user only has one MFA device enabled, you can use alternative methods of authentication. This means that if you can't sign in with your MFA device, you can sign in by verifying your identity using the email and the primary contact phone number registered with your account.

Before you use alternative factors of authentication to sign in as a root user, you must be able to access the email and primary contact phone number that are associated with your account. If you need to update the primary contact phone number, you can sign in as an IAM user with Administrator access instead of the root user. For additional instructions on updating the account contact information, see Editing contact information in the AWS Billing User Guide. If you do not have access to an email and primary contact phone number, you must contact AWS Support.

We recommend that you keep the email address and contact phone number linked to your root user up to date for a successful account recovery. For more information, see Update the primary contact for your AWS account in the AWS Account Management Reference Guide.

You might see alternative text, such as Sign in using MFA, Troubleshoot your authentication device, or Troubleshoot MFA, but the functionality is the same. If you can't use alternative factors of authentication to verify your account email address and primary contact phone number, contact AWS Support to deactivate your MFA device.

If you don't receive a call from AWS, choose Sign in to sign in to the console again and start over. Or see Lost or unusable Multi-Factor Authentication (MFA) device to contact support for help.

For a hardware TOTP token, contact the third-party provider for help fixing or replacing the device. You can continue to sign in using alternative factors of authentication until you receive your new device. After you have the new hardware MFA device, go to the AWS Security Credentials page and delete the old MFA hardware device entity before you create a new one.

You don't have to replace a lost or stolen MFA device with the same type of device. For example, if you break your FIDO security key and order a new one, you can use virtual MFA or a hardware TOTP token until you receive a new FIDO security key.

If your MFA device is missing or stolen, after signing in using alternative factors of authentication and establishing your replacement MFA device, change your root user password in case an attacker has stolen the authentication device and might also have your current password. For more information, see Change the password for the AWS account root user in the AWS Account Management Reference Guide.

Contact the AWS administrator or other person who gave you the user name and password for the IAM user. The administrator must deactivate the MFA device as described in Deactivating MFA devices so that you can sign in.

3a8082e126