avatarTeri Radichel

Summary

The webpage provides guidance on using a Yubikey for enhanced online account security, emphasizing its importance and the setup process for Google accounts.

Abstract

The article "I Got a Yubikey — Now What?" by Teri Radichel discusses the use of Yubikeys as a security measure for protecting online accounts. It explains how a Yubikey can thwart attackers by requiring physical authentication, which is more secure than traditional codes sent to phones or applications. The author notes that while not all services support Yubikeys, platforms like Google allow their use for accounts such as Gmail. The article emphasizes the critical nature of safeguarding email accounts and outlines step-by-step instructions for setting up a Yubikey with a Google account, including the creation of a passkey and the use of backup options. Radichel also points out a current bug in Google's setup process and advises on workarounds. The importance of testing the Yubikey login process and having multiple keys for redundancy is highlighted. Additionally, the article cautions against using untrusted adapters and reminds readers that a Yubikey is just one part of a comprehensive security strategy.

Opinions

  • The author, Teri Radichel, believes that using a Yubikey is a great starting point for improving account security, but it's not a cure-all; it's one of several recommendations to protect against compromised systems.
  • Radichel suggests that readers should not rely solely on Yubikeys and should set up additional backup options such as a phone number, backup codes, or an authenticator application.
  • The author expresses concern about a bug in Google's hardware security key setup process that complicates the use of a Yubikey as a second factor alongside a username and password.
  • Radichel finds it strange that Google displays different information for identical Yubikey models and advises against using a "Passkey" for login without a username and password.
  • The article conveys the opinion that it's crucial to purchase Yubikeys and adapters from reputable sources to avoid compromising security.
  • The author emphasizes the importance of understanding that a Yubikey might not protect against all threats, such as malware already present on a user's devices.

I Got a Yubikey — Now What?

How to use a Yubikey with your online accounts

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Google Security | Cybersecurity for Executives | Cybersecurity

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I wrote some stories about how to better protect your accounts and one of my recommendations was to get a Yubikey. Note that this was only one of the recommendations that can help you if you are finding that your online accounts are repeatedly being compromised.

What will stop the attackers depends on how they are compromising your systems. I know, it’s a pain to try to figure this all out if your’e not familiar with all these technical details. A Yubikey is a great place to start. Please read this post for all the other recommendations.

How and when a Yubikey helps protect your accounts

Sometime attackers will somehow send you a link to log into a website. You click that link and enter your user name, password, and sometimes a code from your phone or an application. The website looks just like the real website and you don’t notice that the address is slightly different. When you login, your credentials are not sent to the legitimate website, they are sent to the attacker. The attacker captures your credentials at that point and then they can log into the real website using your credentials. Then they may redirect you to the site after they login so you don’t realize anything is wrong.

When you use a Yubikey, instead of entering a number from your phone or an application after you login, you plug a Yubikey into your computer or your phone. You push a button on the side of the Yubikey and that lets you into your account. The attackers cannot capture the information that lets you login with your Yubikey the same way they can capture your user name, password, and codes. The Yubikey makes it harder to do that and, at the time of this writing, can’t be intercepted and used to get into your account by the tools attackers use most of the time (for now) to steal your credentials.

Where can you use your Yubikey to login?

Unfortunately not all companies and accounts support Yubikeys. For example, many banks and insurance company sites don’t allow you to enter a Yubikey. Hopefully they will start supporting that sooner than later.

One site that does support Yubikeys is Google for your Gmail (email) account and document storage. Other types of email systems and cloud systems will also allow you to add a Yubikey to your account. To determine if you can use a Yubikey with an account where you log in, consult the documentation for that system or contact customer support.

Yubikeys and other similar devices are often referred to as security keys, hardware security keys, fido keys, passkeys, or authentication devices. You’ll find information about them when you look up how to add a second factor, multi-factor authentication (MFA), 2-step or multi-step verification or a passkey to your account.

Why protecting email is critical

If you use gmail a Yubikey will help prevent attackers from getting into your email account. If attackers can get into your email account they might be able to do. many things such as:

  • Read emails. The attackers will be able to read email and any sensitive documents you have transmitted via email.
  • Reset account usernames and passwords using a “forgot password” link. Because they have access to your email they can send a link to it and then reset the password.
  • Delete emails. Let’s say an attacker used your email to send a password reset link to reset your password on an account. They could then delete the evidence.
  • Learn information they can use to try to trick you into clicking a link that downloads malware to your system.
  • Send email pretending to be you. Because the attackers have access to your email they can send emails on your behalf, possibly tricking other people into doing something.
  • Learn proprietary information about your company and products.
  • Undercut you on a project bid because they know what you are going to bid and can offer the company a better price.

Those are just a few examples. Protecting your email is very important. Adding a Yubikey to your Gmail account can help.

How to use a Yubikey with a Google account

I’ve been using Yubikeys with Google accounts for years. Unfortunately Google has just made it a bit more complicated to use a Yubikey as a second factor along with a username and password. I wrote about that here:

If you are not super technical and you want to use a Yubikey instead of a password, that is pretty simple. If you want to use both a password and a Yubikey, Google has something to fix at the moment to make that as easy as it used to be, but here’s how it works.

Note that this may look slightly different if you’re not using a Mac.

Log into your Google account.

Click the icon on the top right of the screen that represents your user account.

Click Manage your Google Account.

Click Security on the left.

Scroll down to 2-Step Verification. Click the arrow on the right.

You will see a number of options for setting up 2-factor authentication on this page. Before you set up a Yubikey, I recommend clicking on and setting up each of the following:

  • A phone as a second factor, at least until you verify your Yubikey works. You may want to leave it in place as a backup option.
  • A recovery email and phone number in case you lose access to your account.
  • Backup codes that you can use instead of a phone or Yubikey if those are not working for some reason. Do not store the backup codes on the device where you are logging into the account or in plain text anywhere (such as in the notes on your phone or a file on your computer). You probably want to print out those codes and store them in a safe, if you have one if you are not real familiar with encryption.

Then set up the Yubikey.

Click the arrow next to Security Key:

Click Create Passkey:

If you only want to use your Yubikey to login with no username and password you can click Create a passkey, but I explained why I don’t want to do that in the above post. Instead, click on Use another device.

If your Yubikey has a pin already configured on it, you will be asked for a pin. Otherwise you will be asked to add one. A pin is a 4 digit code just like your banking pin. Make sure you save this number in a secure place because without it you can’t get into your account later.

You’ll be asked to allow the security key. Click Allow.

The key will be added to the list. What is really interesting here is that I used two of the exact same kind of keys and they they are shown differently in this Google list. Hmm.

The new key will be added to your list.

I find it strange that Google is showing different information for both these two keys as they are both the exact same type of key from Yubikey. Interesting. In fact, I do not want a “Passkey” on this account to login without a username and password, I only want a Security key used as a second factor.

Test logging in with your Yubikey

Once you set up your Yubikey, you can test logging out and logging back in. Depending on wether you use Google Workspace or not and how that is configured, you will be asked to enter a username and password and then click on your Yubikey, or you may be asked to just click on the Yubikey and enter a code. I have my accounts set up to do the former so I’m not entirely sure what happens if you do the latter.

In any case, at some point, you’ll see a message like this:

There are two buttons on the side of your Yubikey. Click one and you should be let into your account.

After setting up the security key I tested logging into my account with it and it worked. As I explained in the above post there seems to be a security bug here where you can’t create a security key only for use as a second factor. It seems like the option to only use the Yubikey is always enabled at this point, but I have that disabled via Google Workspace as explained here.

If yo are not using Google Workspace you might be forced to use the hardware security key only as a passkey but I’m not sure as I haven’t tested a Google account created without a Google Workspace.

Add multiple Yubikeys to your Google account

I highly recommend you set up two Yubikeys in case one is broken or lost. Then you can use the second one.

If you can’t do that it’s even more important to set up some other option as a backup such as the backup codes, a phone number, or an application that generates codes.

Add your Yubikey(s) to your other cloud account logins

Adding a Yubikey to other accounts will work in a similar manner. Depending on what type of Yubikey you purchased, you might be able to login by tapping your phone or plugging the device into your phone.

Be careful with adapters

If you are using a Yubikey and require an adapter to make it work with your computer, please be very careful where you buy that adapter and that it is from a reputable source. If you get a Yubikey but then get an sketchy adapter from some source that leverages software drivers to send your Yubikey codes off to some other Internet destination, you’ve defeated the purpose of getting the Yubikey. That’s why it’s best to get a Yubikey that will work without an adapter on your computer or phone, if possible. But if you do need an adapter, get one from a reputable brand.

Hopefully that helps you get started with your new shiny Yubikey and helps you better protect your accounts. Remember to read the other recommendations. A Yubikey might not help if an attacker already has malware on your home Internet router, phone, or laptop.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Yubikey
Cybersecurity
Malware
Data Breach
Google
Recommended from ReadMedium
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read
avatarNeetrox
Windows Event IDs That Every Cybersecurity Analyst MUST Know

Uncovering Threats with Critical Windows Event IDs

8 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarAbhay Parashar
17 Mindblowing Python Automation Scripts I Use Everyday

Scripts That Increased My Productivity and Performance

14 min read
avatarTaimur Ijlal
The Decline Of Pure Technical Skills In Cybersecurity

The Cybersecurity Industry Is Slowly But Surely Undergoing A Massive Change ..

5 min read
avatarInvictus Incident Response
Ransomware in the cloud

We have moved this blog to our own website. This allows free access for everyone.

1 min read