My Yubikey broke, but I had a backup. So should you with your 2FA
Published: 18-03-2018 | Author: Remy van Elst | Text only version of this article
Table of Contents
Today my trusty old first generation Yubikey didn't light up when I plugged itin. No problem for me, I had a backup key. But most people don't, so here's animportant tip when you use two factor authentication like a Yubikey, Nitrokey orGoogle Authenticator (HOTP). TL;DR: Have a second hardware token stored awaysafely and backup your QR codes (print/screenshot) somewhere secure. Swap thehardware tokens often to make sure they both work with all services. Today mytrusty old first generation Yubikey didn't light up when I plugged it in. Noproblem for me, I had a backup key. But most people don't, so here's animportant tip when you use two factor authentication like a Yubikey, Nitrokey orGoogle Authenticator (HOTP). TL;DR: Have a second hardware token stored awaysafely and backup your QR codes (print/screenshot) somewhere secure. Swap thehardware tokens often to make sure they both work with all services.
As we all know, 2 factor authentication is important. Passwords are insecure,can be brute forced or logged (malware, keylogger) and are re-used everywhere.If you're password is leaked, when you are using two factor, something you know(password/username) and something you have (security token, time-based code),the attacker doesn't have access to your stuff unless they also compromise thesecond factor.
I love security devices, I've written a lot about the open sourceNitroKey devices, even how to get the private key fronm the HSM. Also,the FST-01, an open source GnuPG token and the SmartCard-HSM. In myprofessional job I work with enterprise HSM devices (Safenet, Gemalto).
Backups backups backups!
This tip applies both to HOTP tokens (Google Authenticator) and hardware tokens.
HOTP / TOTP
If you use Google Authenticator (or any other TOTP/HOTP), you get a QR code toscan with your device or a code to enter. Screenshot that code and print it,file it in a folder. Or write down the code.
I myself have a second Android device at home with all the codes scanned aswell, so when my main phone breaks I have an 'online' backup. Since the codesare all printed, when my main phone is working again, I scan the codes from the'offline' backup to add them back. I don't have to login to every service orcontact customer support to change the 2 factor settings.
The physical tokens, like the Yubikey, GnuPG (FST-01 or Nitrokey Start/Pro),SmartCard HSM, Nitrokey HSM or the RSA token, yes my keychain is full with thosesadly, all have a second device. At home I have a 'backup' keychain withauthentication tokens. Which means, a second Yubikey (for KeePass), a secondNitrokey Pro (for GPG) and a second Nitrokey HSM (S/MIME and othercertificates). It also has copies of the important physical keys (car, home,etc).
This keychain is stored in a safe next to the phone with the authenticator andthe printed QR codes. Also a printout of my private keys which are not inhardware tokens (with passwords).
You must also add all these devices to the services you use. Lastpass forexample supports up to 5 yubikeys. It's not much use to have a second YubiKey ifyou can't use it. So make sure to add the token to the service you use.
In the case of the GPG token and the HSM, backup the key material on them andimport it on the second device.
The last step in this backup scheme is, as is with all backups, to regularlytest them. Otherwise a backup is worth nothing. I swap the keychain once everymonth, so I know it works with all the services it needs to. If somethingdoesn't work, I don't want to find out on a critical moment, rather as soon aspossible. Just as with all other backups, do a restore test once in a while.
I know that this increases the cost, instead of 1 token you need to buy two, andYubikeys are pricey ($50 as of today). But I had my two Yubikeys since around2010, so 8 years, that is a cost I could spread out. The other hardware tokensare either bought via my work (free for me yay) or paid for myself. But, my timeis costly, so I rather buy two tokens than to spend an afternoon fixing all the2 factor authentication.Tags: backups, blog, hotp, lastpass, nitrokey, password, security, yubikey