MFA/YubiKey clarifications (#972)

This commit is contained in:
Daniel Gray 2022-04-11 05:57:56 +00:00
parent 8d64d97d82
commit 1beaa6c2b7
No known key found for this signature in database
GPG Key ID: 41911F722B0F9AE3

View File

@ -35,9 +35,15 @@ An adversary could set up a website to imitate an official service in an attempt
Although not perfect it is secure enough for most people, and when [Hardware Security Keys](#hardware-security-keys) are not supported TOTP with [Authenticator Apps](#authenticator-apps) are still a good option. Although not perfect it is secure enough for most people, and when [Hardware Security Keys](#hardware-security-keys) are not supported TOTP with [Authenticator Apps](#authenticator-apps) are still a good option.
### Yubico OTP ### Hardware security keys
**Yubico OTP** is an authentication protocol typically implemented in hardware security keys. When a user decides to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without a expensive processes and a forensics laboratory.
As these keys are generally multi-function and provide a number of methods to authenticate we discuss below the most common ones.
#### Yubico OTP
Yubico OTP is an authentication protocol typically implemented in hardware security keys. When a user decides to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server.
When logging into a website all a user needs to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. When logging into a website all a user needs to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field.
@ -49,17 +55,15 @@ The service will then forward the one-time password to the Yubico OTP server for
There are some benefits and disadvantages to using Yubico OTP when compared to [TOTP](#time-based-one-time-password-totp). There are some benefits and disadvantages to using Yubico OTP when compared to [TOTP](#time-based-one-time-password-totp).
YubiKeys are quite difficult to copy but in the event an adversary was able to accomplish this, the security key would be rejected when logging in as the counter stored on the key would be lower than what is stored on the Yubico validation server.
The Yubico validation server is a cloud based service, and users do place trust in Yubico that they are storing data securely and not profiling users. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third parties to profile the user. The Yubico validation server is a cloud based service, and users do place trust in Yubico that they are storing data securely and not profiling users. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third parties to profile the user.
Like [TOTP](#time-based-one-time-password-totp), Yubico OTP does not provide phishing resistance. Like [TOTP](#time-based-one-time-password-totp), Yubico OTP does not provide phishing resistance.
If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key.
### FIDO2 / U2F #### FIDO2 / U2F
[**FIDO2**](https://en.wikipedia.org/wiki/FIDO2_Project) / [**U2F**](https://en.wikipedia.org/wiki/Universal_2nd_Factor) is the most secure and private form of second factor authentication. While the user experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third party server. Instead FIDO2 (and U2F) use [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) / [**U2F**](https://en.wikipedia.org/wiki/Universal_2nd_Factor) is the most secure and private form of second factor authentication. While the user experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third party server. Instead FIDO2 (and U2F) use [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication.
When a user creates an account the public key is sent to the service. When the user logs in the service will require the user to "sign" some data with their private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. When a user creates an account the public key is sent to the service. When the user logs in the service will require the user to "sign" some data with their private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal.
@ -75,9 +79,9 @@ This presentation discusses the history of password authentication, the pitfalls
FIDO2 / U2F has superior security and privacy properties when compared to any MFA methods. FIDO2 / U2F has superior security and privacy properties when compared to any MFA methods.
The public key authentication used by FIDO2 / U2F is more secure than shared secrets used in Yubico OTP and TOTP, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect the user from phishing as it helps them to determine that they are using the authentic service and not a fake copy. Typically for web services it is used with [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect the user from phishing as it helps them to determine that they are using the authentic service and not a fake copy.
FIDO2 / U2F does not use any public ID, so the key is **not** identifiable across different websites like Yubico OTP. It also does not use any third party cloud server for authentication. All communication is completed between the key and the website the user is logging into. FIDO2 / U2F also uses a counter like Yubico OTP to help detect key cloning. WebAuthn does not use any public ID, so the key is **not** identifiable across different websites like Yubico OTP. It also does not use any third party cloud server for authentication. All communication is completed between the key and the website the user is logging into. FIDO2 / U2F also uses a counter like Yubico OTP to help detect key cloning.
If a website or service supports FIDO2 / U2F for the authentication, it is highly recommended that you use it over any other form of MFA. If a website or service supports FIDO2 / U2F for the authentication, it is highly recommended that you use it over any other form of MFA.