multi factor authentication

balazsszolnoki3197 · 2017-01-25T21:08:26.000Z

This is my first post so please… Rip it apart if you want.

Yubikey. If you don’t know what it is or haven’t heard of it yet then now is a good time to check it out on yubi.co

Yubikey is a small device that supports multiple authentication protocols and in my personal opinion is the best way forward if you are tasked to implement multi factor authentication.

Picture the following scenario: you are a sysadmin and it is your job to protect the business, so you have state of the art firewall’s, top notch antivirus solution, VPNs and encrypted remote connection for endpoints… You looking after a number of Servers running in a virtual environment where you have a fair few version of windows servers as well as Linux, perhaps some Mac OSX servers, etc. There are some cloud accounts for business like salesforce, perhaps you have in house devs using Github… So your infrastructure spans right over the boundaries of your network and way deep into the cloud. Boundaries are blurred.

There isn’t a one for all solution ever, that fits all and is all perfect, this is one of the reasons you have ended up with mixed platforms in your environment (Windows, Linux, Android, iOS, Mac OS, BSD, etc…) didn’t you?

So back to the ‘task’: a ‘simple project’ your boss might says, who just heard the ‘2 form authentication’ expression and makes it an absolute must have, which by the way for this one time is a good decision. So you start looking at various vendors like RSA, Duo, etc… There are many out there and I am sure they do a good job, at a cost. A cost that you have no budget for so you need to be a bit more creative here. And you come across this thing called yubikey. Relatively cheap, one of cost for the hardware token plus your time and resources that you already have. And boy I like it! I haven’t got much of an experience to compare it with anything but I am not even sure if there is anything similar to this out there.

There are a number of guides on the internet on how to implement the yubikey on many platforms so I am not going to try to replicate one of them but instead give a basic principle of how I have implemented in a Windows Active Directory environment where a fair number of linux hosts (Centos,debian,ubuntu) coexists but the linux hosts are not integrated in AD (no AD authentication).

So the challenge I had initially is to get yubikey to work in the windows environment - and it is a bit complex since you require a PKI in place but there are some really good guides out there how to set one up in your environment. Once the PKI is in place the rest is simple - guides are on yubico’s website and at other places too on how to set up PIV (personal Identity verification) smart-card logon for your existing users.

Windows is easy as it all plays together nicely. But what to do with linux? Perhaps you only have a handful of users in the IT department who occasionally log in over ssh, but you need to have 2 form authentication. Firstly, if all the users log in sharing one user account with a password then it really is time for you to shake things up! So the goal is to have all users with their own account, who require remote access (ssh) to the linux hosts. This can be achieved with the aid of GPG, again I won’t detail the setup, just google ‘yubikey GPG ssh’. For instance you might have 5 hosts and 2 users (including you), this is simple since you can set all this up manually, wont take that long right? But what if you ended up having 15 or 20 or more hosts that you really need to just set up with two form authentication? Well, this is where puppet comes into play. Puppet allows you to do the distribution of the individual user accounts with private keys for authentication from a centralised server. This will allow you to do regular password changes too if you tend to keep old fashion accounts (without ssh access).

I have deliberately focused on ssh here and not PAM as the remote access method mostly will be through ssh to gain root level access. The ssh configuration is simple to change and you can have 3 form authentication with gpg where the gpg pin is the first form, the certificate is the second and the user password is the 3rd.

And why I love yubikey is because it allows you to add even more, it is very powerful and broad. Once you start digging into it you will want to get to learn more about cryptography and Public Key Infrastructure. I have my yubikey to unlock by bitlocker encryption on startup on my workstation too. So basically there is a single device that fits for many.

I am not a reseller of yubikey nor a salesman of theirs, I just simply liked the product and thought it worth a quick write up, perhaps others can share their experience on other solutions too.

dbeato · 2017-01-25T21:35:26.000Z

Welcome to the community! Awesome write up Maybe you can also consider Duo Security so you can compare but is the same idea:

Cisco Duo

Easy Access Security for Anyone and Any Device

Secure access with Duo’s multi-factor authentication (MFA), remote access, adaptive authentication, device trust and single sign-on (SSO) solutions. Learn more.

Neally · 2017-01-25T22:29:55.000Z

TL;DR, but I have a older gen Yubikey on my keychain
I like them a lot, I already lost the tiny version one lol

psophos · 2017-01-26T00:22:52.000Z

Works well with LastPass too:

https://helpdesk.lastpass.com/multifactor-authentication-options/yubikey-authentication/

bsvec · 2017-01-26T03:07:23.000Z

It sounds too complicated and I have to carry something extra around with me? In seriousness though, 2FA through SMS or smartphone apps seem like they would be easier to implement and have better adoption rates among users while still offering 99% of the security, no?

Even better, I imagine in the future all kinds of personal metrics can be combined through smartphones and wearable devices users already have to be multi factor authenticators. Imagine things like a combination of known usual locations, fingerprint, voice, facial recognition, etc. So even better then a device like a USB key or phone that could be stolen it could require voice, fingerprint, etc. in addition.

balazsszolnoki3197 · 2017-01-26T07:28:32.000Z

I agree with you, it would be nice to use existing devices that we carry around with us already to fulfil the ‘Something You Have’ factor. I have been looking into google one time password (OTA) and whilst it is widely adoptable it does not integrate with windows, as it would mean a change on the ‘Logon UI’. The other issue that you have with smartphones and sms or phone call authentication is that you have to have signal on your mobile that quite frankly is not reliable.

I like to think that security should not cost you that much more. In today’s word if you want strengthened security you need to pay up for 3rd party solutions that aren’t necessarily integrating so seamless into your existing infrastructure and these come with the extra cost.

I do like the sound of the future that you have painted a picture of. I sincerely hope that we are heading to that sort of direction.

balazsszolnoki3197 · 2017-01-26T07:32:08.000Z

I have been considering duo security my self amongst others but as I am very limited with budget, I felt the one of cost for a ‘hardware token’ alike solution could work. And again if you have the budget to go with something like duo security then you also benefit from having the support from the experts who made the product and that is a huge benefit!

chris-is-decisions · 2017-01-26T08:00:56.000Z

There is also an alternative to MFA in the form of contextual access restrictions. These are transparent to the end and thus don’t frustrate employees with tokens, badges etc. They are also super easy to set up and cause less expense and headaches for IT.

Such restrictions can mean authorizating only the machine(s)/device(s) that the user can only use with their credentials. If credentials are compromised (stolen or shared), access would be automatically blocked if attempted from any machine/device outside of their authorization.

Further info from this guide: How to bolster your defense against compromised logins

apsutcliffe · 2017-01-26T08:10:03.000Z

Welcome to the community.

There is a section specifically from product reviews; and there are some for Yubikey there. https://community.spiceworks.com/purchasing/search?utf8=✓&source=Product+Search&selector_query=Yubikey

You might want to add your thoughts there as that will also help to build up your spice level.

Lennert · 2017-01-26T10:16:04.000Z

I only apply this on my firewall. Using Digipass

richardhall3 · 2017-01-26T12:46:48.000Z

I find my Yubikey is fantastic and use it to authenticate for all sorts of things, just sits on my key ring. I prefer it to mobile phone based OTA using an app since users find themselves in trouble when their screen breaks!!

johnnelson3 · 2017-01-26T14:06:20.000Z

We use Duo and support Yubikey and “push” (to smartphone app) as second factor (user’s choice). It’s not free, but it’s not hideously expensive and it is a relatively painless way to bring 2FA to our most sensitive systems.

psophos · 2017-01-26T14:29:07.000Z

Convenient blog entry from yubico: Internet Security and Company Blog | Yubico

greg-collective-software · 2017-01-26T14:32:24.000Z

If you want to integrate YubiKey OTP mode into an enterprise, there is AuthLite . I have nothing against PIV smart card mode, but you can’t use it for everything. With OTPs you can enter them into existing “username/password” credential UIs.

malaika-dashlane · 2017-01-26T14:37:20.000Z

Great post! I use a U2F-enabled YubiKey with Dashlane, and I love it! It’s faster than grabbing my phone every single time to find a TOTP code. And like you mentioned, for me, it opened a new door to learning more about cryptography and the value of multi-factor authentication in general. It’s also interesting to see how companies and websites like Google, Github, Dropbox, Salesforce, Dashlane, and as of today Facebook , are supporting U2F USB keys.

I’m curious to know has anyone used a Yubikey with an Android phone that supports NFC? Is the experience vastly different from using it on desktop?

@balazsszolnoki3197

psophos · 2017-01-26T14:58:36.000Z

I’m curious to know has anyone used a Yubikey with an Android phone that supports NFC? Is the experience vastly different from using it on desktop?

I’ve used mine to login to my lastpass account on the mobile. Exactly the same really. Just wiggle the yubikey around where the nfc antenna is, job done.

amber-lastpass · 2017-01-27T11:47:19.000Z

Great write-up, thanks for sharing. I did use the YubiKey NEO with my LastPass account for a while but moved to a phone-based authenticator app. The YubiKey had some great advantages, including the added encryption, but it just became easier to use the phone-based app. I always have my phone on me and I ran into a couple situations where I didn’t have the YubiKey. Nothing quite as frustrating as being thwarted by your own two-factor.

A great option though, especially for businesses who have other access points they want to secure with multifactor authentication!

Lennert · 2017-08-29T12:35:02.000Z

DIgipass works with an app already

aaronpropes9614 · 2017-12-21T17:38:13.000Z

If I used yubikeys to be the second factor in an Active Directory setup, what would stop the lazy users from just leaving the keys in their workstation?

greg-collective-software · 2017-12-21T19:42:49.000Z

APropes:

If I used yubikeys to be the second factor in an Active Directory setup, what would stop the lazy users from just leaving the keys in their workstation?

That can be a concern, especially if you pick the “nano” form factor which is designed to stay in the port. AuthLite also supports OATH tokens so your users could use Google Authenticator or other compatible phone app. Phones will sure not be left at the workstation!