Author Topic: Multi-Factor Authentication - Authy vs. Yubikey  (Read 1813 times)

nirodha

  • Stubble
  • **
  • Posts: 154
Multi-Factor Authentication - Authy vs. Yubikey
« on: February 10, 2021, 04:09:07 PM »
I'm a little nervous about SIM swapping attacks, and so I want to upgrade my multi-factor authentication. I am considering a software option (Authy) or a hardware option (Yubikey).

Authy is free and a little more consumer friendly regarding backups.

Yubikey is arguably more secure, but introduces the hassle of physical hardware. It probably means buying 2 or 3 keys per person, at about $50 a key.


Do others have practical experience here? I am leaning towards the software solution. I like free. I've had both for various work needs. The hardware token can be a hassle. But, the point is security.

maisymouser

  • Pencil Stache
  • ****
  • Posts: 550
  • Age: 32
  • Location: NC
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #1 on: February 11, 2021, 08:11:31 AM »
I have zero experience in this domain but also consider (cyber)security to be super important, especially since multi-factor identification is bound to be less secure in the future. PTF.

Tinker

  • 5 O'Clock Shadow
  • *
  • Posts: 76
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #2 on: February 11, 2021, 10:47:07 AM »
First of all, any multi factor thing you use should be kept on a separate device.

50$ sounds pretty outrageous for a glorified TOTP replacement

nirodha

  • Stubble
  • **
  • Posts: 154
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #3 on: February 11, 2021, 02:28:06 PM »
@Tinker - do you have a recommendation? My experience is only as a MFA user. This article scared me:

https://arstechnica.com/information-technology/2021/02/authorities-bust-sim-swap-ring-they-say-took-millions-from-the-rich-and-famous/

I like that the Yubikey supports a variety of protocols. Going that route, I'd minimally be looking at four. One to carry, one for the safe. Another pair for my wife. It looks like account recovery from a lost token is feasible, but must be done per vendor. A third off site hardware token is tempting. I've also seen hardware tokens described as the Betamax of MFA, however. I know my prior employer was moving away from them.

Authy looks to me like a step up from SMS. I am leaning towards trying it out, seeing how I feel about the overall security, after I have some experience. I'd probably duplicate the device and use their password protected cloud backup service. My goal isn't necessarily impenetrable security, just to be less appealing than my neighbor. This might be easier to convince my wife to adopt, as well.

I guess that's another consideration. Does this lock our accounts down too hard, in the event of death? We've got instructions for the password manager in our estate plans. The hardware token might be easier to understand there. Our current executor is digitally savvy.

NorthernMonkey

  • Stubble
  • **
  • Posts: 199
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #4 on: February 11, 2021, 02:43:52 PM »
Have you looked at google authenticator.

You can back it up by printing out the square barcode used to set it up the first time, and keep it in the safe.

crimp

  • 5 O'Clock Shadow
  • *
  • Posts: 74
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #5 on: February 11, 2021, 03:04:46 PM »
If you go the token route, check out this company: https://solokeys.com/collections/all

They're about to put out a new version of their product. It's an open source competitor to Yubico with a lower price point. If you were thinking of buying a fistful for more than one person, you might be interested in their kickstarter offering: https://www.kickstarter.com/projects/conorpatrick/solo-v2-safety-net-against-phishing


nirodha

  • Stubble
  • **
  • Posts: 154
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #6 on: February 11, 2021, 03:27:26 PM »
@NorthernMonkey this article guided me away from Google authenticator, due to backup/restore limitations:

https://arstechnica.com/information-technology/2020/05/choosing-2fa-authenticator-apps-can-be-hard-ars-did-it-so-you-dont-have-to/

@crimp interesting kickstarter, thanks for the link

MilesTeg

  • Handlebar Stache
  • *****
  • Posts: 1363
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #7 on: February 11, 2021, 05:53:05 PM »
I'm a little nervous about SIM swapping attacks, and so I want to upgrade my multi-factor authentication. I am considering a software option (Authy) or a hardware option (Yubikey).

Authy is free and a little more consumer friendly regarding backups.

Yubikey is arguably more secure, but introduces the hassle of physical hardware. It probably means buying 2 or 3 keys per person, at about $50 a key.


Do others have practical experience here? I am leaning towards the software solution. I like free. I've had both for various work needs. The hardware token can be a hassle. But, the point is security.

IMO Authy (or any other software based approach) is still "wish it were 2 factor". Way better than SMS, but still not as reliable as having to have a hardware token that can be physically secured. That said, unless you have an extremely high risk profile (known public figure, banking, etc.) then the convenience of Authy is a reasonable compromise and makes you well above the average low hanging fruit folks with just passwords or SMS based placebos.

Metta

  • Pencil Stache
  • ****
  • Posts: 773
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #8 on: February 11, 2021, 06:19:04 PM »
I’ve used Yubikey with LastPass for about six years now and I like it. I’m not sure why you would need more than one per person. I have both my personal LastPass and my mother’s keyed through my Yubikey and it all works fine. We make do with three, one to carry for each of us and one for the safe deposit box.

nirodha

  • Stubble
  • **
  • Posts: 154
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #9 on: February 11, 2021, 07:14:15 PM »
@Metta - I was thinking from a corporate mindset, where each person has to have a unique token. I supposed that's not true in the personal use case. Good point.

@MilesTeg - I appreciate the input. I'm not public. My risk profile is pretty low. There's probably a good argument that today, SMS is secure enough for me. I'm concerned about security being a moving target though.

nirodha

  • Stubble
  • **
  • Posts: 154
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #10 on: February 11, 2021, 07:47:55 PM »
I see LastPass Premium is required to use a hardware token. That's another $48/yr for the family plan.

AccidentialMustache

  • Pencil Stache
  • ****
  • Posts: 927
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #11 on: February 11, 2021, 10:31:56 PM »
You don't have to have 2 keys. Just make sure you are religious about printing out your recovery codes and putting them somewhere safe. If you lose the key you can use the codes... to take the key off the account, at least until you get a new one or find it again.

I have and use a Yubikey. It is nice to not have to type digits in a limited time frame.

katsiki

  • Handlebar Stache
  • *****
  • Posts: 2015
  • Age: 43
  • Location: La.
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #12 on: February 12, 2021, 08:29:52 AM »
Great topic.

Is there a good tutorial someone can link us to regarding how this can be used with common platforms?  ie major banks, websites/apps, etc

I use a password library app and SMS when available.  I am familiar with MFA in a work environment.  Unfamiliar how it can used / how well-supported it is for the consumer world.

thanks for any info!!

crimp

  • 5 O'Clock Shadow
  • *
  • Posts: 74
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #13 on: February 12, 2021, 11:03:44 AM »
Is there a good tutorial someone can link us to regarding how this can be used with common platforms?  ie major banks, websites/apps, etc

This may be out of date in some cases, but overall the process is pretty similar on most websites that support security keys (and 2FA in general).

https://www.eff.org/deeplinks/2016/12/12-days-2fa-how-enable-two-factor-authentication-your-online-accounts

nirodha

  • Stubble
  • **
  • Posts: 154
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #14 on: February 12, 2021, 08:11:24 PM »
I am finding this is not an either/or situation. Examples:

- Vanguard supports yubikey but no software token. They do not allow disable of the SMS messages. Still, using a token reduces vulnerability to phishing attacks. Some on bogleheads propose a work around using google voice, to lock down the SMS: https://www.bogleheads.org/forum/viewtopic.php?f=10&t=264768

- Nintendo supports only google authenticator (Authy uses the same protocol). No hardware tokens.

- Amazon seems to support only software tokens or SMS. But AWS seems to support yubikey.

The serious targets, like Google accounts and password managers, seem to support both.


Talking with my wife - typing in a time based code is very unappealing to her. That leans me towards 3 hardware tokens - one for each of us and one for the safe. I'd never stay on top of printing out the recovery codes. I'd have to buy a printer, for starters.

crimp

  • 5 O'Clock Shadow
  • *
  • Posts: 74
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #15 on: February 13, 2021, 07:57:15 AM »
I'd never stay on top of printing out the recovery codes. I'd have to buy a printer, for starters.

You can just write them down on a piece of paper -- it's typically less than 40 characters. I do this and just keep the paper in a small safe.

nirodha

  • Stubble
  • **
  • Posts: 154
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #16 on: February 13, 2021, 09:30:09 AM »
Guess I get a face punch :) I ordered 3 of the Yubikey 5C NFC tokens. With tax and a cover for my wife's token, it was $170. There's a $10 off $100 coupon floating around. Looking around, 20% off seems like the "good" Black Friday pricing.

Another $10 for a pair of USB C to A adapters.

I may still write down codes and put the third token off site. Having these integrated into daily life, being prepared for immediate replacement seems worthwhile. I decided I am willing to pay $50/yr for last pass premium. Security seems like the wrong place to prioritize price. In total - $180 up front, plus $50/yr, feels reasonable.


I found Fidelity does not support a hardware token, but rather software tokens with a Symantec VIP app. They are wrapping the same protocol used by Authy/Google Authenticator, but adding a layer. You can avoid installing the extra app, but need to be clever about it:

https://locima.com/2019/06/01/replacing-symantec-vip-with-a-generic-totp-app/

I don't want to remember how to be clever. I can see doing secure MFA completely will result in multiple apps plus a hardware token. I will be forced to write down codes for the apps anyways. There is not a one size fits all solution. I don't know that I'll be all in, but on accounts like email, brokerage, password manager - it seems prudent.


Admittedly, I'm kind of a nerd. Understanding MFA is interesting. If I were looking for work, it's something I could talk about in an interview. The cost/benefit trade off for me isn't purely financial.

Metta

  • Pencil Stache
  • ****
  • Posts: 773
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #17 on: February 13, 2021, 09:44:58 AM »
Glad you found a solution! I've found LastPass and Yubikey to be worth the money for the peace of mind and because it prompts me to change passwords or lets me know when passwords are not secure enough. I am more security-minded in this realm than my husband is. Having Lastpass gives me reports on the passwords that are duplicative or not very strong and I can give that list to my husband so that it isn't me haranguing him about password security, it's a neutral application.

I set it up after I'd had some accounts compromised. I talked to some friends who work in Information Security and this was the setup that they recommended to me. I haven't had any problems since installing it.

nirodha

  • Stubble
  • **
  • Posts: 154
Re: Multi-Factor Authentication - Authy vs. Yubikey
« Reply #18 on: February 13, 2021, 11:47:29 AM »
Other than having a couple credit cards stolen, I've had ok luck with keeping my accounts secure. I try to stay on top of my security practices and monitor activity. My wife will do the same, but I need to make it easy for her.

I read articles like this one, it's hard not to feel a little paranoid:

https://arstechnica.com/information-technology/2021/02/former-phone-carrier-employee-accused-of-accepting-bribes-in-sim-swap-scam/

The guy was supporting SIM swap attacks for a couple grand. Just some random kid at a phone store. That's too easy.

 

Wow, a phone plan for fifteen bucks!