Masthead image courtesy of YubiCo.
How secure is secure enough in this age of phising and breakins? Is a security hierarchy possible as not all accounts support all security methods. And what about the accounts that are still mired in the 1960’s days of shoulder surfing? Read on.
- 2022-03-04: Original
- 2022-03-06: Revision 01 updated to better represent use of YubiKey Manger. FIDO2 and PIV support is usable provided PIV management keys are secured using the PIV PIN. I’ve also set a FIDO2 PIN. I’ve also configured MacOS to support PIV login using My YubiKeys.
- 2022-03-07 Correct several paragraphs where “key” was used with “PIN” was meant. Add key backup paragraph. Add sections about YubiKey Manager and YubiCo Authenticator. Correct inaccuracies regarding use of PIV and FIDO2 not that these have been tried. Add link to CrossTalk Solutions YubiKey video.
- 2022-03-08: Added paragraph about physical security, evacuation with keys in hand, and setting of a key’s FIDO2 PIN to discourage casual mischief with them.
- Cross-Talk Chris YubiKey presentation
Back in the second decade of computing, nicking a bit of computer time was big sport at places like MIT so passwords were invented and with them blind entry of passwords. in the 1970’s, access changed from a job in the card reader to on-line time-sharing access,so energy was applied to the problem of getting around passwords at the teletype, so password complexity and short password lifetimes were invented beginning the computing security arms race we are in today.
Back when, you were just protecting your course allotment of computer time or your project budget, simple passwords were good enough. Today’s graphics hardware can crack most short passwords in less time than it takes to brew a pot of coffee. Today, most of us do most banking, bill paying, and a significant amount of shopping using computer resources protected by passwords. Good passwords matter. You can test your password at https://www.security.org/how-secure-is-my-password/ Security.org is the Consumer Reports of computer security products. They test and evaluate both computer security and physical security products for individual and professional use.
Given the arms race is on, how do you stay safe and from whom are you seeking protection.
- Not the Feds, they obtain a subpoena.
- Not intelligence agencies. Most of us are boring. For those who are interesting, they have super computers and skilled computer burglars.
- Mostly those looking for easy pickings. Why break in to the house with the reactive dog when few have tough dogs?
First, and foremost, use long passwords that can’t be brute forced. Second, use unique passwords everywhere. If it can’t be long, make it random from a tested random string generator.
oZNia^V7 is an 8 character password generated by BitWarden’s password generator. Security.org estimates that a typical gaming computer can brute-force this password in about 8 hours. My MacOS login password would take a bout 10 trillion years to brute force. My password manager passphrase would take about 72 sexdecillion years! Nothing fancy, just long. Just 5 somewhat random words assembled into a silly phrase.
Here at Dismal Manor, we use multi-layer protection. TOTP keys are kept physically secure. TOTP keys plus silly passphrases secure the password managers. Password manager stored unique passwords or passphrases secure each account. Where provided, biometric security is also used. Should somebody get past the MacOS login password, they need either the TOTP keys or the biometric keys (my old face or index finger) to progress further.
Passwords are a sore subject here as many accounts have password requirements that make it difficult to formulate a secure yet usable password. I expect that some organization will establish password requirements whose solution set is the empty set. Anyway, I use one of two methods. For short passwords, I use my password manager’s random password generator. For reasonable requirements, I use my password manager’s passphrase generator and add salt to meet complexity requirements.
With any luck, the end result is a usable password that is also a secure password. I much prefer the passphrase because it can be remembered long enough to be typed correctly. I secure my password managers with longer passphrases that are memorable nonsense.
And, I keep all of my passwords in a password manager. Originally, I used 1Password. I’m evaluating BitWarden for future use as 1Password is acquiring a corporate big-IT orientation.
Current recommendations using numbers, letters, and punctuation to make a 16 character random password are fairly strong. Passwords like Fhf$VoZ@JPb^Pc7c are estimated to take 1 trillion years to crack with a gaming computer. Unfortunately, they can’t be remembered or easily typed. Password manager use is a must with unique passwords like these.
The Apple device ecosystem has a hierarchy of security provisions. Initial authentication always requires something you know, a password or a PIN. After initial authentication, biometric authentication is permitted and apps may use biometric authentication services. MacOS can also be configured to use PIV smart card (think DOD CAC card) authentication. As we will see, this is not for the faint hearted as recovery can be difficult in the absence of professional support.
Device Provided Biometric Sensor
Where possible, I use biometric authentication to secure iPhone, iPad, and MacOS. Biometric authentication authenticates you to the physical device and you establish biometric authentication at device commissioning. Initial sign-on authentication always requires a PIN or a passphrase.
2FA for Devices Without Biometrics
My FreeBSD (TrueNAS Core) servers do not have built in biometric sensors. These I secure with a YubiKey. Four YubiKeys actually, two USB-A and two USB-C keys.
Device Account Passwords
A password or PIN secures iOS, iPadOS, TrueNAS, or MacOS. With MacOS, I use a passphrase. The network management console and some Internet of Things devices are also TOTP secured.
Apple hashes the password with seasoning and saves the hash. Apple doesn’t really care how long or how complex but my pass phrases are typically 4 or 5 words that describe something silly. I expect my silly will differ from other’s silly and I avoid people names, pet names, common roles, etc. Security.org estimates that it would take a regular computer 10 trillion years to brute force this password.
Securing Roon Core
When setting up services on my file servers, I’m careful to run them in a jail or a virtual machine provided by FreeBSD. For example, Roon Core runs as root or as admin user on MacOS or Linux. If a vulnerability in Roon Core were exploited, it would be possible to obtain admin access to the underlying metal.
For protection, I run Roon Core in a FreeBSD Virtual Machine. If Roon is exploited, access to the VM’s Linux instance is gained but not to the larger server and my collection of naughty dog photos or copyrighted CD transfers to Roon.
Securing My Password Manager
I secure my password manager in ways permitted by the environment. The password manager requires entry of its pass phrase to open. The pass phrase is seasoned and hashed to generate the encryption key used to decrypt the account. Without it, the information on the device is AES-256 gibberish.
Where possible, I require biometric authentication of the user or hardware token authentication to open the password manager. Since this is a property of me, I expect that it is reasonably safe since Apple stores the biometric end result in the device’s secure enclave.
Where biometric authentication is not available, I use a YubiKey to secure the password manager. As a result, several diverse barriers protect the password trove.
The YubiKey family of devices is really useful. It can be used to generate TOTP passwords, serve as a FIDO2 authenticator , and serve as a PIV smart card for tasks like Apple code signing, etc where public key certificates are stored and employed. MacOS login can use the PIV capability to store and retrieve ID credentials . YubiCo provides the root certificate for these applications.
YubiKey is physically robust
YubiKey is designed to be hard to kill. Apparently, YubiCo qualified its devices to resist common challenges. YubiKey devices have survived the following common mishaps.
- Immersion in seawater to 48 meters
- They pass unscathed through the alimentary canal of a greyhound 🙂
- They pass unscathed through home laundry equipment.
- You can drive a car over them. They don’t crunch.
Apparently, a YubiKey that went missing was found 10 weeks later in the door seal of a front loading washing machine. That area is wet and exposed to hot water.
YubiCo did not mention whether they’d tossed one into a dryer’s lint basket. My experience has been that the dryer has a higher lethality to electronics than the washer. A Timex IronMan watch survived several washing but not a drying.
YubiKey is designed to be secure. Data goes in via the several management interfaces to be stored in the trusted element inside the key. There is no way to review or revise the data once in the trusted element. From the user side, a YubiKey is write-only storage.
So how do you back up the keys?
- You can register the same data in multiple keys.
- You can enter a site in multiple keys using unique data for each key
- You can configure TOTP authentication in your password manager
- You can record the alternate authentication tokens produced by the site’s authentication management interface.
YubiKey Physical Security
Some attention must be given to YubiKey physical security. It is a good idea to treat them like your car or house keys. I keep my keys on lanyards with Apple Tags to assist in locating them when I hide them under something. I recommend keeping your backup key with your evacuation documents rather than in a safe as loss of both sets of keys could result in loss to important computing services and documents stored in your password manager.
A YubiKey can have up to three PINs – one for its FIDO2 function, one for PIV (smart card), and one for OpenPGP. The PIV and OpenPGP PINs are set to 123456 by default, but there is no FIDO2 PIN set from the factory. If you are being prompted for a PIN (including setting one up), and you’re not sure which PIN it is, most likely it is your YubiKey’s FIDO2 PIN.Understanding YubiKey PINs
I recommend setting a FIDO2 PIN on all keys as this appears to be sufficient to prevent casual mischief with the keys.
In the quote above YubiCo confesses that they have been somewhat casual about identifying which of the 3 pins is wanted in forms and prompts. Blind entry of initial PIN values and ambiguous prompting for PINs are my primary gripes regarding the products. Otherwise, YubiCo has done an excellent job.
YubiKeys at Dismal Manager
We have 4 YubiKey 5, two USB-A with Firmware 5.2 and 2 USB-C with Firmware 5.4. Always put your keys in multiple devices because one will go missing. Also, you need to follow device interface technology. USB-A ports are being phased out in preference to USB-C and Thunderbolt-4 which support the ancestor protocols, Display Port, and HDMI.
Dismal Manor Gang suggests keeping one set on a lanyard handy at your desk. Keep the second set with your important documents that you would take with you were you to evacuate home. Loosing both sets would be problematic for most of us.
Where possible, we also configure our password manager to keep TOTP secrets and compute TOTP for all of our TOTP logins. We use the YubiKey to secure the password manager account.
FIDO2 and TOTP One Time Password Function
Both work well for one time pass-wording. They store the credential correctly and the algorithm works correctly.
We normally keep our TOTP in BitWarden. Some we also want to keep in the YubiKeys. How these are set up varies. Most were entered directly into BitWarden. Some like Google TOTP and FIDO2 are entered at the Google account management website.
YubiKey Manager is used primarily to manage your YubiKeys. It is the tool you use to set up the several PINS, the PUK, and the Management Key. It can also factory reset keys. Once data is entered in a key, it is accessible only through the authentication protocols. There is no way to retrieve it, back it up, or do other mundane chores. This is a deliberate choice to prevent compromise that forces a bit of care when working with Manager and Keys.
Dismal Manor Gang strongly suggests that you identify YubiKeys by their serial number. Although not externally visible, both Key Manager and Authenticator will show you the serial number of the currently connected key.
YubiKey Manager has some rough spots but is usable provided that you configure the the PIV Management Key to be protected by the PIV PIN. Configuring PIN protection removes the need to record and manually transfer the Management Key. This is a 64 character AES-256 hash so is difficult to work with. As noted above, copy and paste is not fully supported in the window manager but keyboard shortcuts work at the moment.
Any self-signed certificates generated by Key Manager may be exported. There is also a certificate import mechanism.
For each key, record each PIN before setting it as there is no way to recover a PIN once set. PINS may be reset but that usually destroys any data associated with those PIN values.
- FIDO2 configuration requires you to set a PIN in the blind. Entry of the current PIN and the new PIN both use password text boxes so entry is blind. Apparently, you can enter them directly in the key and you’re done.
- But you have to remember for which sites the key was used. Should you ever need to change the PIN, or loose the key, those sites will require attention. We recommend using the password manager’s tagging capability for this purpose.
- Backing up a PIN requires you to record it and enter it in the backup devices, currently difficult. Write them down first and then transfer to the devices.
- YubiCo advises the following. Basically test the configuration data before putting it in your keys. Verify that an alternate login capability is available.
For any accounts that would be affected, you should log in, unregister the key you plan to reset, and then make sure you can log back in and modify the account’s two-factor authentication settings without your YubiKey. This will ensure that you’ll be able to log in and get the key re-registered after performing the reset.Reference 
- Sadly, at this time, there is no good means of tracking which key was used where. The key has a serial number that YubiKey Manager displays but the serial number does not appear on the key in plain text. We identify the keys by serial number but describe them by the skin they wear (an idea from CrossTalk Chris) or by the skin on the Apple Air Tag with them.
- The PIV application has the same issue. Two PINS are created in the blind, the PIV PIN and the PIV PIN Unlock Key (PUK).
- The PIV application lets you create a management key. This is a 64 digit hex hash that the application generates. To replace the management key, you have to enter the current management key. But the full key is not displayed because the field is too small. The key can be copied and pasted using MacOS keyboard shortcuts but not the menu. Enabling the PIV PIN to be a UI/UX proxy for the management key resolves this issue. Once so enabled, the PIN is sufficient.
- Setting up backup keys requires transfer of the PIV PIN, PUK, and Management Key to each backup device. As the program is currently implemented, this appears difficult. FIDO2 and PIV may be created anew for the backup key. Most sites can track 5 or so keys.
MacOS Smart Card Login
MacOS supports Smart Card login. Reference  gives the YubiKey configuration procedures to configure a Key to use with MacOS. The Key Manager has the configuration protocols built in. Once run, MacOS will ask if you wish to use the key for login using a pop-up notification from KeyChain. Follow the instructions presented to pair the key with the logged in user.
- To set up the PIV application for MacOS authentication requires entry of the PIV management key. Per  configure the key to use the PIV PIN as a proxy.
- The Key Manager allows you to generate smart card certificates. Key Manager allows file import and export of certificates. This seems a good way to produce self-signed certificates as needed.
As of Monterey, MacOS supports YubiKey login as described in . You may log in using normal Monterey authentication or your YubiKey. If YubiKey goes missing, normal login remains available.
YubiCo Authenticator App is the application used day to day with your YubiKeys. It provides the following functions.
- It tells you which key you have inserted.
- It lets you review the FIDO2 configuration of the key
- It lets you turn on and off support for application protocols TOTP, CCID (smart cards), and FIDO Web Authen.
- It lets you adjust app appearance settings
- It lets you pair an external card reader with the app.
- And it lets you generate TOTP as needed to log in to sites.
- And it lets you enter new TOTP sites.
YubiKey Applications Here at Dismal Manor
I’ve set up YubiKeys to support the following applications here at Dismal Manor
- MacOS login using PIV method. With key inserted you can log in by entering the PIV PIN rather than your MacOS passphrase. Reference  gives the setup procedure
- BitWarden FIDO2 and TOTP methods are configured.
- TrueNAS TOTP is configured.
- Google TOTP is configured.
- iCloud TOTP is configured but uses Apple iPhone/iPad as TOTP delivery device.
BitWarden  is able to tell you which login items offer 2FA but it is unused (not provisioned in the login item).
1Password’s WatchTower application is able to tell you which login items offer 2FA. It’s up to you to inspect the items to determine if you are using it.