Two-factor authentication, or 2FA, provides extremely effective protection against account takeovers. But as SIM-swapping attacks have become more commonplace, more and more folks are starting to realize the issues with SMS-based 2FA that have prevented security experts from recommending it for quite some time. Even Twitter, which has required a phone number for years, finally allows users to set up 2FA without a SIM-swap-attack-enabling phone number, and it was the last holdout I was aware of. And while app-based 2FA hasn’t seen the same kinds of attacks, I’ve been intrigued by the idea of security keys for a long time.
At first it seemed like I was just hearing about super-high-security finance companies who required them, and then one day they seemed to be all over my twitter feed, as an even-more-secure alternative to 2FA apps like Google Authenticator and Duo. So when I finally picked up the most basic Yubico key a couple years back, I was super excited to set it up, and I generally felt very fancy with my newly-locked-down accounts. But my excitement faded a bit as I realized that my mobile devices were out of luck: these Apple devices only had Lightning connectors, and my Yubikey was USB.
Soon after, I switched to an all-USB-C MacBook, which meant I'd need a clunky dongle to use my shiny new Yubikey. I could upgrade to a USB-C key, but to get the mobile devices into the mix I’d need to get ahold of an additional key that supported NFC. Investing in a second key to carry around, before I’d really even gotten started, felt like a step too far. This basically shut down my motivation, and I carried the unused key around for a year, using an app for my 2FA needs instead (to re-emphasize: not SMS).
At this point, app-based 2FA mostly worked fine for me, but a thing I didn’t love, specifically about 2FA with Google Authenticator, was the prospect of changing phones and swapping out codes. I went through this with one phone upgrade and it was kind of a pain, with dozens of accounts hooked up. The disaster-recovery aspects here are mitigable with backup codes in a safe, but I’d have loved less manual process of setting up accounts again. It makes sense in a way—don’t want to send clear text secrets like this to iCloud—but it gave me some low-level anxiety nonetheless. Other solutions like Authy and Duo offer backup solutions, so this isn't a fundamental limitation of app-based 2FA.
I knew some folks store 2FA secrets (those QR codes you scan to set up 2FA) in password managers like 1Password, which adds additional risk and value to the password manager vault. It's a bit of a counterintuitive approach: in theory, a "second factor" should be a separate thing protecting you against an attacker with access to your password—and if your 2FA secret lives in that same place, an attacker who can open the 1Password vault now has access to both factors. We'll come back to this idea in a bit.
Dawning of a new era?
On August 20, 2019, Yubico released the 5Ci—a USB-C and Lightning key. I was still interested in the security key concept, and now with a single key that worked on my mobile devices, it seemed like I was there.
But to my dismay, when the device arrived, I found that none of my mobile browsers or other apps (particularly Google’s, which I’m using for both work and personal accounts) accepted the Lightning YubiKey. Apparently some apps were already lined up using the Brave browser's FIDO2/WebAuthn protocol implementation, just not all browsers, and my most critical accounts didn’t seem to work in any browser I tried. I found a handful of folks with similar findings on Twitter; there didn’t seem to be any official word from either Google or Yubico.
A couple months later, Yubico announced Yubico Authenticator for iOS. It’s a pretty nifty little app that uses 2FA secrets stored on-device to generate 2FA codes (those 6-digit things you type in). The app itself doesn’t store the secrets—it just allows you to read them from the YubiKey.
It’s less convenient than I’d prefer, but it’s not terrible: plug the key in, copy the relevant code, and paste it into the app that’s giving you the 2FA challenge.
So voila, 2FA with a single security key that works on both desktop and mobile. I’m also happy with my backup story—my old USB-A dongle-requiring YubiKey works great as a backup solution. Using a dongle isn’t anywhere near as annoying if it’s during disaster recovery! And that security key can sit in a safety deposit box, or a safe, or under my mattress, or wherever I decide to stash it—keeping in mind that as with any other credentials, the backup solution needs to be kept just as secure as the primary!
But seriously, make sure you have a backup plan for each account, regardless of your 2FA choices—a minor panic recently over a missing security key in a parking garage during family travel was a lot less scary than it could have been, because I knew I had a backup key waiting at home. The missing key in question turned out to be under the diaper bag, which I found only at my lowest point, after giving up.
The YubiKey 5Ci stores a bunch of 2FA secrets (32 currently), but not nearly enough to cover all of my accounts. So the other 2FA secrets have to go somewhere. And for me, that’s still an application, although I can imagine some folks having multiple keys for this. As I mentioned, Google Authenticator is a no-go for me right now because I want to have an easy-to-replace backup of all my secrets. When I replace a phone, I don’t want to have to set up lots of accounts again on the new device. I know lots of folks like Duo and Authy, but there’s another option (albeit somewhat controversial): 1Password itself has 2FA options.
There’s the option to use a 2FA device to access a Vault on a new device (which I’d recommend regardless), and also the option to embed 2FA secrets as data elements for a particular website login. This first capability means I can (and do) configure my 1Password web access to require my second factor, the YubiKey.
This mostly works exactly as you’d expect from other 2FA services: it prompts for the security key to be entered. But for both native apps and the web app, the 2FA challenge is generally only required for the initial sign in for a given device. You can view your authorized devices in the web interface and also set to require the 2FA challenge on the next sign-in. While imperfect, this 2FA requirement on 1Password makes me feel more comfortable in storing 2FA secrets in 1Password for some accounts. Not the one for 1Password itself, nor some others that I consider mission critical, but I consider this to be a convenient escape hatch.
There will be an NFC + USB-C Yubikey coming out at some point, according to a blurb at the bottom of a page on their website about mobile offerings, which should be a bit more convenient than plugging into the Lightning port. And hopefully soon all of the mainstream browsers and web apps will fully support WebAuthn to eliminate the app-switching and copy-pasting dance that the 5Ci currently requires. The newly released iOS 13.3 has Safari support for WebAuthn for both Lightning and NFC keys, and I can confirm that it works well on at least a handful of web apps. It still depends on mobile apps actually consuming the WebAuthn API, so it’s incomplete, but it seems like we’re heading in a positive direction. And regardless, I’m super-pleased to have a solution that works with a single key on both desktop and mobile.
So long story short, I’m optimistic that security keys are going to get easier and easier to use.
On the other hand, if you don’t want to spend the cash on a key, you can at least make sure you’re using 2FA everywhere it’s supported, and make it app-based rather than email or SMS!