I feel like I'm really missing something on why Yubikeys are such a popular form of 2FA. My previous employer utilized a phone app that would spawn a notification when you were trying to do something requiring a 2nd authentication factor. You had to either enter a 6 digit pin or use a fingerprint to authorize. My current employer utilizes Yubikey, and it just feels clunkier and less secure? I still have to have a piece of hardware, but its one I'm vastly more likely to lose or misplace and doesn't require any verification that whoever is activating it is who they say they are. Is there something I'm missing?
You leave the Yubikey in your computer, at least for the duration of your session, so you're just moving your hand a couple of inches to tap it. Contrast with fishing out an entirely different device, waiting for the push to arrive or navigating to the Duo app, etc. Push 2FA is also subject to the vagaries of your phone's current network connection and its latency.
For the specific combination of Macs with Touchbar and U2F and Chrome, you can already get this experience with onboard hardware. I expect most client devices will converge on having some kind of hardware-backed U2F credential built in. But Yubikey is more general right now. OTP is easy to implement and eminently compatible; it just presents as a keyboard and sends keystrokes. HMAC is great for not just authenticating but signing specific transactions. The GPG applet is just another GPG key, and the PIV applet is just another X.509 cert, so a number of applications can be upgraded to hardware-backed credentials with little or no change.
It depends on the context really - I love the push-driven MFA products, but they specifically require you as a user to be carrying a phone with you at all times, and are usually considered "low" assurance of the user's identity.
If your business is seeking "higher" assurance (yes, assurance levels are very subjective) then certificate-based MFA can meet the needs better. Or, if your business is working with sensitive data/systems, phones may be banned from the office (e.g. military, intelligence, banks, etc.).
If you can’t use a phone as a factor, it’s likely you’ll be issued a smart card (such as a CAC in the case of the military).
It feels like Yubikeys are a shim until the phone UX as a factor improves (and there’s more server side support) and/or smart card adoption for identity improves. If Touch ID and Face ID are good enough for most secure transactions in the Apple ecosystem (including Apple Pay), seems like a reasonably high assurance.
Some of the U2F-only tokens are their own thing, but the flagship Yubikey is literally a smart card bundled with a reader. The USB token form factor makes a little more sense for an individually assigned laptop.
I have found Yubikey evangelism terribly difficult in both my enterprise and defense industry engagements, hence my smart card statements. For whatever reason, Yubico still has some perception challenges.
You can MITM OTP, but you can't MITM U2F. You can copy/steal the OTP secret from a phone app, but you can't copy/steal the U2F private key from a Yubikey (easily).
With Push MFA it's even easier, the sequence goes like this:
Crooks know Barry's password but Push MFA is needed to sign into his account and conduct some crime
Crooks somehow get Barry to go to a site they control believing it is for Work [there are a lot of ways to do this step, links in email, hijacking forgotten subdomains, typo squatting, the list goes on]
The site says "Hi Barry, we need to do Push MFA"
Crooks sign into Barry's real account with the password, causing a Push MFA to happen.
Barry was expecting Push MFA because the bogus site prompted saying it would happen so OKs it.
I think the intuition is that it is supposed to be like a key. People generally do a pretty good job securing their keys. In addition, it is easy to have a backup key stored somewhere safe.
One nice thing about Yubikey instead of phone, is that since it only does one thing, you are far less likely to need to upgrade it. In the past, I have lost a 2 factor on my phone when upgrading since it is not backed up.
It’s like a physical key, also inside a combination lockbox, hanging from your keychain. It follows the Unix Philosophy in this regard of doing one thing very well and I think that’s a large part of the appeal.
Granted it does many things well, I think the most common case with Yubikeys is we only use them for one or two of their possible functions, and they’re cheap enough that this is okay; like a screw driver with half a dozen bits in the handle, but I just use the Philihp’s Head bit. In earlier Yubikeys, they could get stuck in PIV mode (like getting a bit stuck in your screwdriver), but I doubt anyone ever noticed.
That makes sense, and initially that is how I treated it, but essentially everyone I work with keeps theirs plugged in to their laptops 24/7. In fact, the keys we get as backups/replacements are the low profile ones designed to be plugged in and not removed without significant difficulty.
The effect this has is to make the laptop a "Something you have" factor. This works fine so long as the business is strict about ensuring people treat laptops appropriately and report losses quickly.
e.g. my last big corporate employer would sometimes randomly take any laptops that had not been properly physically secured during a meeting or over lunch. You'd come back and somebody groans "Oh no, we were only gone a few minutes". Yes we were, and you didn't bother locking your laptop so now you're going to have to grovel to somebody to get it back.
That’s why I love my 17 inch Alienware gaming laptop. If it is missing, I can usually spot the thief straining under the load of trying to carry it, and it is too bulky to fit in a normal backpack.
The only way to lock laptops to things I have seen have been Kensington slots, and those are literally security theater. You can cut them straight through their cables with a simple plier and zero effort, in one motion.
I don't like taking my phone out while I work, since this is often a source of distractions. I also have to worry about keeping it charged and on me (it is much larger than the yubikey). I have to keep the authentication app, which is often proprietary, installed and up to date. I have to worry about retaining access if I lose, break, or want to upgrade my phone. I have to apply a different security model to my phone. I have to trust a third party (duo), and rely on their push notification infrastructure. There is an additional delay while I wait for the push notification.
There is something I intrinsically like about pressing a hardware button.
These are all relatively minor things, but they add up to a strong preference for the yubikey (I've used the simple blue u2f key with a button).
After reflecting on this list, I think the security model is probably the biggest one. In more colloquial terms: I'm already used to keeping track of my keys with a certain amount of care. A yubikey does not require me to adjust my habits; it's just another key.
My employer uses Duo, which supports phone push, yubikeys, or webauthn/touchID in chrome.
I almost always use touch ID. I do have a yubikey and phone push as a backup, but I really want to minimize using my personal device for work (and don't want to carry two phones).
A yubikey is much less obnoxious to carry around than an extra phone.
I want to get some sort of retractable lead for mine. My keys are heavy-ish and sometimes it can be difficult to get the key in a usb port without tension.
When I had more keys on my keyring I used something like this https://www.amazon.com/Lucky-Line-Keychain-Nickel-Plated-707... (not this particular one, which is just the top result that looked similar). It worked pretty well for a single key, but if you want to use more than one it adds a lot of extra bulk so your keychain gets even bigger.
I also tried something like this https://www.amazon.com/Spider-Accessory-Split-Rings-Pack/dp/.... It worked pretty well for a few weeks, but then the central piece loosened up and the keys started falling off in my pocket; not recommended unless you can find one that's really sturdy.
in california, if your employer requires you to have a phone for 2FA or other purposes, they must reimburse you at least partially. yubikeys are cheaper.
as to being clunky, it’s because your employer doesn’t care about it, so you have the clunky (and much cheaper) yubikeys.
lack of verification of who is using it is simply not an important part of the threat model.
If you are using the PIV applet of the Yubikey, then yes, a PIN is required. Failing the specified number of retries will result in the device being locked. The PIN can be unlocked with a PUK. Failing the specified number of retries with the PUK will brick the PIV applet. You can reset the PIV applet but all previous data will have been wiped.
