Yubikey vs other 2FA

What do you love about LastPass? What do you hate about it? Tell us why you like it, why you don't, and why.

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Yubikey vs other 2FA

Postby DrBooth » Sun Aug 18, 2019 7:33 pm

Is using a YubiKey any better than using Google Authenticator for 2FA? :?:

I am using both and I can't see what Yubikey offers that Google Authenticator doesn't.
Please let me know. Cheers. :)
DrBooth
 
Posts: 6
Joined: Sun Aug 18, 2019 9:53 am

Re: Yubikey vs other 2FA

Postby jaredpotter278 » Mon Aug 19, 2019 6:35 pm

Right now they are the same. They are both using OTP to offer a second step of authentication along with your master password. The key phrase there is authentication.

Other password managers provide another method of using the Yubikey for a higher level of security. This other method is called Challenge-Response. The short of it is that you type your master password, it then gets "written" to the Yubikey, on the Yubikey there's a secret that's hashed (combined and mixed in a very specific way for the less techy) with your master password and the output of this hash is the actual passphrase for unlocking your password manager file. From your standpoint you just plug in your yubikey and enter your password as normal.

LastPass does not currently support Challenge-Response - in large part because Apple/iOS have limited access to NFC (the primary way mobile devices use Yubikey) to 3rd party developers. Especially the ability to "write" to it. Therefore LastPass has been limited to OTPs from Yubikey. LastPass does claim to take what's called the static portion of the OTP to encrypt password files locally but evidence on Windows suggests to me this might not actually be happening. Additionally, the "emergency access" feature makes me question if that is a surface of attack.

However, with iOS 13 coming out this year Apple is allowing iPhone 7 and later phones to write to NFC yubikeys. Android has had this ability for years. In theory, a higher level of security will be obtained if LastPass overhauls all of their applications to support Challenge-Response.

Although OTP and Challenge-Response both require a password (not just for authentication but for decryption) Challenge-Response requires the physical Yubikey. That means even if your master password is compromised a would-be attacker wouldn't gain access to your vault of passwords/secrets. OTP does provide a similar hardware-based protection but because it isn't using the yubikey for encryption key generation it is somewhat less secure.
jaredpotter278
 
Posts: 4
Joined: Mon Aug 19, 2019 5:57 pm

Re: Yubikey vs other 2FA

Postby dave964 » Mon Aug 26, 2019 8:39 am

For me, the advantage of Yubikey over Google Authenticator is that I can register multiple Yubikeys with LastPass. I keep one in my tower computer at home, one on my key ring (for laptop + NFC for phone, though a USB OTG adapter works, too), and one more in the fire-safe where I keep my offline/onsite backups. A Yubikey is about $40-$50, so roughly between 5% to 50% the cost of a compatible Android device (5% if comparing to a flagship phone, 50% vs. cheap tablet).
dave964
 
Posts: 6
Joined: Fri Nov 27, 2015 7:19 pm

Re: Yubikey vs other 2FA

Postby DrBooth » Tue Aug 27, 2019 7:34 am

dave964 Wrote:For me, the advantage of Yubikey over Google Authenticator is that I can register multiple Yubikeys with LastPass.

You can also register multiple Google Authenticators. Actually an unlimited number so advantage GA.

dave964 Wrote:I keep one in my tower computer at home

The security of a yubikey depends on physical possession. I would not leave one permanently in a PC at home. A thief breaking in will get both your PC and your 2FA.

Based on my own experience, I just can't see any good reason to be using a yubikey on a day to day basis. I put mine away as a backup and I will probably forget I have it.
DrBooth
 
Posts: 6
Joined: Sun Aug 18, 2019 9:53 am

Re: Yubikey vs other 2FA

Postby dave964 » Tue Aug 27, 2019 8:54 am

Yes, I should probably have said something like "afford multiple Yubikeys."
dave964
 
Posts: 6
Joined: Fri Nov 27, 2015 7:19 pm


Return to Feedback

Who is online

Users browsing this forum: No registered users and 10 guests