Hello there!
I have several things in the pipeline that will benefit from some public exposure, so I will try to post here more regularly.
We'll start easy and talk about Yubico hardware keys today. I bought a Yubikey Edge last year, thinking that it was finally the end of having to manage endless lists of passwords.
That was very naive of course. The main benefit I got out of the purchase is that I now have two factor auth for all my critical apps and services (Gmail, Amazon AWS, Dropbox, GitHub and Xero). This is all done through the Google Authenticator app on iOS, and does not make use the Yubikey at all.
I found Yubikey's documentation to be a bit lacking about where and how it could be used and how to set it up. I assumed it would replace the two factor auth apps but that wasn't the case.
I also found that U2F only works with Google Chrome on Windows. I'm running Chrome on Linux and web-based U2F doesn't work there.
Adding the key to your GitHub account will have interesting effects. All your authenticated https access will be disabled, and you will have to rely on ssh keys only. I understand that private ssh keys are more secure than a login/password over https, but I feel that disabling https shouldn't be an implicit requirement.
Essentially, the Yubikey on github secures your website login only. In order to lock things some more you will have to do some extra work to secure your private keys.
Things will continue to improve with broader adoption. Better, easier OATH–TOTP would have the most impact for me. In the meantime the cheap and easy improvement to your online security is to simply get the Google Authenticator app and set it up on a handful of essential services.
Comments