You may already be using multi-factor authentication to login to some devices or services. Your bank may send you a text message with a security code when you attempt to login to its website. I use a smartphone app that gives me a code to use when logging into Google, LastPass, or a handful of other services.

But there are also a handful of companies that offer hardware that you can use for multi-factor authentication. If your security key isn’t plugged into the USB port on your laptop or paired wirelessly with your phone, you cannot login — even if you have the correct password.

This summer Google started selling security keys. Last week Linux computer maker Purism announced it would offer its own. But today one of the first companies in the space announced it’s already launching its 5th-gen security key.

The new YubiKey 5 Series adds support for NFC and the new FIDO2 protocol which, among other things, supports password-free logins thanks to support for single-factor logins as well as 2-factor options including a keyboard or PIN. YubiKey 5 Series devices are available now for $45 and up.

Here’s a roundup of tech news from around the web.

You can keep up on the latest headlines by following Liliputing on TwitterGoogle+ and Facebook.

Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign

or...

Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.

10 replies on “Lilbits 338: Multi-factor security”

  1. I went over to check out the Yubico website. They are all over about passwords are old, passwords are out. Is it just me, but I enjoy my password manager and having a different login to every site or service I use. I’m much more comfortable with this than having to carry yet another dongle with specific ports and no others, and vital information that can break and I can lose easily. It’s just not my style. You are more reasonable people here on Liliputing. Am I missing something?

    On slightly related news: https://bgr.com/2018/07/10/apple-1password-acquisition-deal/

    1. What you’re missing is security. Your password manager could be hacked. The sites you’re using could be hacked. There are also brute force attacks.

      Losing the device isn’t a concern, except that the need for a backup device effectively doubles your cost and setup time.

      1. > Your password manager could be hacked.
        As much as a Yubikey, or am I missing something? Nonetheless, I know of no fatal flaw in KeePass, Pass, 1Password, and Password Safe came to light in the last couple of years or decade which make me worry.

        > The sites you’re using could be hacked.
        This is exactly the risk I’m willing to take here. As sites get hacked often anyways. But my credentials elsewhere still remain safe.

        > There are also brute force attacks.
        There are. But against…? You didn’t finish this thought.

        >Losing the device isn’t a concern, except that the need for a backup device effectively doubles
        > your cost and setup time.
        OK. As a location independent person, where should I exactly keep my backup gadget? You see my point? Different solutions for different folks/scenarios. Anyways, security always boils down to either ‘something you know’ or ‘something you have.’ And I’ve always favored the ‘something you know’ approach and has been always wary of the ‘something you have’ approach.

        The bottom line is I rather carry a separate, safe device like an iPod touch in a not too distant future, cyberwar-like scenario for the two purposes of being used as my password manager (I don’t even mind manually copying my passwords onto another device – with the Yubikey I can’t even use any and all devices, right?), and listening to audio/podcasts at the same time. Too bad the iPod touch seems to be an end of life product.

        1. I think you miss the point. It’s not about “what you know” *or* “what you have”, but rather *and*. Sites get hacked all the time, and using a password manager helps to contain the issue to just one site since you don’t reuse logins, but MFA prevents the hackers from accessing even an account on a compromised site, or a site which uses a setup where passwords can be brute forced.

          Keeper had a flaw earlier this year that could have leaked all your passwords, which is now fixed, but most common sites have some flaws like hard-coded master keys or other less-than-best-practices that could potentially leak your passwords. Yubikey had a flaw with an earlier version of the device, but I’d trust their current hardware more than a password manager.

          But that’s beside the point as well. You want both, so that if one is compromised, due to your own error or a flaw in the system, it doesn’t expose your personal data. I can guarantee you at least one of those companies will have a breach, but the odds of both your password and device being compromised at the same time are much lower.

          1. “I think you miss the point. It’s not about “what you know” *or* “what you have”, but rather *and*.”

            Most of us have accounts which justifies different levels of security. Schneier use to say that security is always a trade-ff. For example you have logged in to comment on Liliputing. Even if Liliputing offered any kind of 2FA, would you care to use it? If I were to use a login here, I certainly wouldn’t. Maybe it’s just me, but about 80% of my accounts are like this.

            “Keeper had a flaw earlier this year that could have leaked all your passwords”

            You are comparing apples to oranges here. Keeper (it’s the first time I’ve hear about them) is an online password manager (if we are talking about the same thing) like LastPass and the 4 password managers I cited all use local databases. 3 of them are also open source, by the way. Obviously more ‘security researchers’ are interested in testing online password managers than offline ones. By which you may get a point, the fact that less researchers are interested in testing offline managers doesn’t meat they can’t have flaws.

            I’m not an enemy of course, to 2FA where it’s justified. There’s a tried and tested one called TOTP as popularized by Google Authenticator. It’s open source. That is, previous versions of Google Authenticator and current versions of other implementations. A quick search revealed the Yubikey is a closed one. My information may be wrong on that. As I mentioned, I’m location independent, so where in the world should I store my backup Yubikeys? As TOPT is a soft token, it’s backup key is just a set of characters I can store conveniently wherever and however I please, according to my threat model. Ideally, separate from other things.

  2. I closed my account at USAA bank, because multi factor security prevented me from logging in to their website. Requiring a text message on a cell phone did not work for me. USAA was reluctant to change this security ‘feature’ for my account. Now I bank elsewhere.

    1. Good to see banks are even offering multi-factor authentication, although they really should offer options.

      1. It is unfortunate that most banks still offer only text message MFA, since it’s still not that secure. It’s surprisingly easy to call a cell provider support line to hijack your texts, for example. Better than nothing, though.

  3. I’m waiting for this to be integrated into cellphones. It will be much cheaper than $45, and I will not have to carry a dongle. This dongle is going to look pretty stupid 5 years from now.

Comments are closed.