Git-Mirrors/privacyguides.org
1
0
Fork 0
mirror of https://github.com/privacyguides/privacyguides.org.git synced 2024-07-11 13:51:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
6673523a71
privacyguides.org/docs/multi-factor-authentication.md
Tommy 6673523a71
MFA page update, split recommendations (#862) 
Signed-off-by: Daniel Gray <dng@disroot.org>
2022-04-10 23:44:00 +09:30

11 KiB
Raw Blame History

title icon
Multi-Factor Authenticator Recommendations material/two-factor-authentication

Hardware Security Keys

YubiKey

!!! recommendation

![YubiKeys](/assets/img/multi-factor-authentication/yubikey.png)

The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 WebAuthn](https://en.wikipedia.org/wiki/WebAuthn), [Yubico OTP](https://developers.yubico.com/OTP/), [PIV](https://en.wikipedia.org/wiki/FIPS_201), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH/) authentication.

One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice.

[Visit yubico.com](https://www.yubico.com){ .md-button .md-button--primary } [Privacy Policy](https://www.yubico.com/support/terms-conditions/privacy-notice){ .md-button }

The comparison table shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.

YubiKeys can be programmed using the YubiKey Manager or YubiKey Personalization Tools. For managing TOTP codes, you can use the Yubico Authenticator. All of Yubico's clients are open source.

For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.

!!! attention The firmware of YubiKeys are not open source and are not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.

Nitrokey / Librem Key

!!! recommendation

![Nitrokey](/assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }

**Nitrokey** has a security key capable of [FIDO2 WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.

[Visit nitrokey.com](https://www.nitrokey.com){ .md-button .md-button--primary } [Privacy Policy](https://www.nitrokey.com/data-privacy-policy){ .md-button }

The comparison table shows the features and how the Nitrokey models compare. The Nitrokey 3 listed will have a combined feature set.

Nitrokey models can be configured using the Nitrokey app.

For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.

The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the Coreboot + Heads firmware. Purism's Librem Key is a rebranded NitroKey Pro 2 with similar firmware and can also be used for the same purposes.

The Nitrokey has an open source firmware, unlike the YubiKey. The firmware on modern NitroKey models (except the NitroKey Pro 2) is updatable.

!!! warning

While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks.

!!! attention

Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html).

!!! tip

The Nitrokey app, while compatible with Librem Keys, requires `libnitrokey` version 3.6 or above to recognize them. Currently, the package is outdated on Windows, macOS, and most Linux distributions' repository, so you will likely have to compile the Nitrokey app yourself to get it working with the Librem Key. On Linux, you can obtain an up-to-date version from [Flathub](https://flathub.org/apps/details/com.nitrokey.nitrokey-app).

Authenticator Apps

Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called Time-based One-time Passwords, or TOTP. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret, or otherwise be able to predict what any future codes might be.

We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and IOS have better security and app isolation than most desktop operating systems.

Aegis Authenticator

!!! recommendation

![Aegis logo](/assets/img/multi-factor-authentication/aegis.png){ align=right }

**Aegis Authenticator** is a free, secure and open source app to manage your 2-step verification tokens for your online services.

[Visit getaegis.app](https://getaegis.app){ .md-button .md-button--primary } [Privacy Policy](https://getaegis.app/aegis/privacy.html){ .md-button }

**Downloads:**
- [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis)
- [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.beemdevelopment.aegis)
- [:fontawesome-brands-github: GitHub](https://github.com/beemdevelopment/Aegis)

Raivo OTP

!!! recommendation

![Raivo OTP logo](/assets/img/multi-factor-authentication/raivo-otp.png){ align=right }

**Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app.

[Visit github.com](https://github.com/raivo-otp/ios-application){ .md-button .md-button--primary } [Privacy Policy](https://github.com/raivo-otp/ios-application/blob/master/PRIVACY.md){ .md-button }

**Downloads:**
- [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137)
- [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/us/app/raivo-otp/id1498497896)
- [:fontawesome-brands-github: GitHub](https://github.com/raivo-otp/ios-application)

More places to setup MFA

Windows

Yubico has a dedicated Credential Provider that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the Yubico Login for Windows Configuration Guide, which will allow you to set up MFA on your Windows computer.

macOS

macOS has native support for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer.

Yubico have a guide Using Your YubiKey as a Smart Card in macOS which can help you set up your YubiKey on macOS.

After your smartcard/security key is set up, we recommend running this command in the Terminal:

sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

The command will prevent an adversary from bypassing MFA when the computer boots.

Linux

!!! warning If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you setup a proper hostname for your computer before following this guide.

The pam_u2f module on Linux can provide two factor authentication for user login on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide Ubuntu Linux Login Guide - U2F which should work on any distribution. The package manager commands such as "apt-get" and package names may however differ. This guide does not apply to Qubes OS.

Qubes OS

Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS' YubiKey documentation if you want to set up MFA on Qubes OS.

SSH

Hardware security keys

SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's documentation on how to set this up.

Time-based One-time Password (TOTP)

SSH MFA can also be set up using TOTP and DigitalOcean has provided a tutorial How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04. Most things should be the same regardless of distribution, however the package manager commands such as "apt-get" and package names may differ.

KeePass (and KeePassXC)

KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second factor authentication. Yubico has provided a documennt for KeePass Using Your YubiKey with KeePass and there is also one on the KeePassXC website.