8
votes
Could security key 2FA be implemented on Tildes?
I am wondering if this could be implemented as a 2FA method on Tildes. Although not super mainstream, I think it is the gold standard for account security. Is there anyone else interested in this option?
You can use the yubikey Authenticator app to store totp codes on your yubikey.
yes this is true, and it is what I am currently doing, but just being able to use the key as U2F would be so much more convenient
Check out https://tildes.net/settings/two_factor -- or are you talking about something physical?
Specifically, I think they're looking for U2F/FIDO2 (e.g. YubiKey) rather than TOTP.
I'm in favour of seeing more support for hardware security keys in general, because the more widely they're supported the more momentum there will be to use them. Implementation isn't too onerous, in my experience, but whether it's a priority for Tildes is a separate question.
yeah, that’s what i figured, but just in case.
i’ve thought about getting something like a Yubi. I think today is the day to get into it. :)
edit: I’ll have it this afternoon! :)
Nice! They're cool devices, and in my experience a lot more seamless to use than digging out my phone and typing in a TOTP code.
I also like them for work because they're a lot less susceptible to social engineering. However hard you try to train people against it, there's always the risk of someone giving a TOTP code out to an attacker with a good spiel on the phone; keeping the code out of the human's hand neatly closes that hole.
i’m surprised they haven’t caught in more — especially in tech circles. i’m stoked. I’m perpetually in a state of locking things down, too, so this will be a natural step.
i went with a yubikey 5 — just the normal one. it’ll also be nice to feed my newfound NFC addiction.
Ive got 3 of them and I think they are really great
Mine was supposed to be in today, but it'll be in tomorrow. I'm stoked. It looks like there's a lot of support for it, too.
Are there any major pain points / down sides with it?
well, its a little less convenient having a separate piece of hardware. For example, I'll be in bed on my phone, wanting to log in to something, and my key is in my wallet. For me that inconvenience is worth the added security.
I got one of the nano yubikeys that I keep in a usb port on my laptop full time, and that has been great. Then I have a 3rd one in safe keeping in case I lose both of my primary ones.
After a day of using this thing, its pretty handy. Thanks for bringing this up!
Eh. I have one that I got for signing up for a subscription somewhere and have never come across a site that uses them, as far as I can tell (including the site I got it from!). It’s sitting in a drawer unused somewhere. (That’s not to say I don’t think they’re a good idea. I’d love more sites to accept them!)
Google, GitHub, and AWS are the most common (and highest value!) that spring to mind, although the latter doesn't let you add a backup key, which is frustrating.
Yeah, that explains it. I don’t use any of those (well, I use GitHub, but our GitHub instance is on-prem and we’re required to use our internal authentication for that).
I personally favor TOTP simply because it's widely adopted and easily portable between auth providers.
I have a nasty habit of losing tiny physical things, and would hate to see TOTP go by the wayside because nobody wants to bother implementing multiple two-factor systems.
Also fair - I'd definitely like to see it as an "and", rather than an "or", even if it does happen to be my own preferred option.
Yes, I don’t recommend two-factor auth unless you have backups. A phone can break and so can a Yubikey.
A good implementation will support and strongly encourage enabling multiple methods at once, allowing you to choose any enabled method to log in. One of them can be printing out a sheet of one-time codes that you can keep in a safe.
It seems a bit much for every online forum to do this, though? Recovery by email verification is often good enough, if your email account is protected by two-factor auth.
Yeah, I see it kind of like the move to https as the default - even if random forums don't need that level of security, it's helpful to move the internet ecosystem as a whole in a positive direction. Just seeing multiple options leads people to be more familiar with them, which in turn leads to better support on the sites that you really do need locked down.
I'd use a Yubikey for convenience on Tildes and be fine with an email reset, but an admin level cloud account at work might have a second USB key in a safe deposit box and no override at all.
TOTP is shockingly easy to implement, so I'd be surprised if it was made obsolete even in the face of hardware keys.
I agree, but the problem I have is the fact that if you utilize a phone app, then you are storing your password and second factor on the same device. A yubikey is a separate device so if your phone becomes compromised, then your second factor is safe.
I don't mind this, simply because problem falls under the category of "user empowerment." With power comes responsibility, so users must become informed and learn the pros and cons to their authentication provider.
The fact that so many find that to be a problem is part of the problem. We're in an age when everyone wants to use things, but not learn to repair or maintain them. It applies equally well to computers, cars, and major appliances.