Using a U2F (Universal 2nd Factor) device is currently one of the most secure authentication methods available to end-users. Its advantage comes from the hardware isolation. It’s impossible to steal keys from it or trigger authentication just using software. Physical interaction is mandatory. U2F is resistant to phishing by design too. For instance you cannot be tricked to press the key and authenticate with a “fake” web page since authentication origin is also part of the process and the communication between the device and the web browser cannot be intercepted by a third party. A malicious person cannot ask for your “U2F codes” because there are no codes in play.
YubiCo is probably the most popular manufacturer of U2F devices on the market. YubiKey is almost a synonym with U2F nowadays. They are gaining popularity too as other authentication factors like SMS proven to be vulnerable to attacks.
Here are some YubiKeys:
YubiKey Nano, the smaller device in the picture, is especially designed for scenarios where you keep your key plugged into the computer. You can use multiple keys too. One large YubiKey on your key chain and one Nano for each device you use regularly. You keep Nanos plugged into the computers so you don’t look for where you put your keys, you don’t try to jingle the YubiKey out and find the correct orientation for your USB port every time you need to authenticate. I even experienced YubiKey falling from USB port because my key chain was too heavy:
Because of that I think people will eventually end up with multiple, always plugged YubiKeys as I have. So what’s the problem with that?
Many YubiKey models come with an extra authentication method out of the box in addition to U2F. It’s called OTP (One-Time Password). It is less secure than U2F because it simulates key presses so it can be captured by web pages. You can see how OTP works by pressing your YubiKey on a text editor:
The above is an OTP generated by one of my YubiKeys. It looks almost random. If I press it again I see a different output:
Well almost different. The first 12-character part of YubiKey OTPs never changes because it is the serial number of your YubiKey.
You can see where this is going. When I’m anonymously browsing a web page if I accidentally touch YubiKey, say when moving the laptop or when reaching something else, I send the serial number of a device I purchased to a random web page I’m visiting at the moment. It is actually imprinted on your YubiKey:
That is an extremely strong signal to identify a person.
Because YubiKeys work with touch but not firm clicks it’s very easy to send out that signal unintentionally. Here is a proof of concept that can capture your YubiKey serial in the background, you can try it out if you have a YubiKey: https://ssg.github.io/yubitell
That serial number can be associated with your session or your identity which you think that was anonymous at the moment. Consecutive touches to your device can provide even more information like deanonymizing a Tor/VPN user, identifying the association between multiple accounts, identifying a person in “incognito” mode, or even incriminating someone.
Even if the web site is not malicious, it can opt to use YubiCloud OTP authentication method which is not U2F but looks like it. Services like LastPass and Passpack support YubiKey OTP mode only. That means your device serial number could be stored in a web site’s database, associated with your account, without you knowing about it.
You have two options to avoid leaking your personal information. You can stick to a single YubiKey that you only plug in when needed and remove it as soon as you are done with it. I find that more trouble than typing in Google Authentication codes actually, because unlike my key chain I carry my phone with me always.
The other option is to disable OTP mode on your YubiKey device. Beware that you might lose access to your accounts when you make changes to your YubiKeys. Make sure you have a separate recovery method in place or disable your YubiKey integration with OTP based platforms so nothing bad happens.
A platform is probably using an OTP-based YubiKey authentication if:
- It calls the integration “YubiKey” instead of the generic “U2F”
- It shows a “password field” that requires you to press your YubiKey like this in LastPass:
A password field isn’t necessary though as on the demo. But it’s a strong indicator of OTP.
Now what you need to do is to turn off OTP mode. I repeat my warning about losing access to your accounts here. And remember: OTP works on all browsers since it’s simply a keyboard emulation. U2F is only supported by Chrome and Opera as of January 2017. If you’re using another browser you cannot take advantage of U2F at all.
How to turn off OTP? Download YubiKey Personalization Tool. It provides an option to turn it off.
The same tool allows you to change OTP prefix so it can send something other than the serial number. But that prefix is also stored on the device. So it doesn’t change the fact that it can be associated with you.
You can also keep OTP enabled but remove the static prefix from sent OTP codes. Personalization tool lets you do that too. However that actually prevents YubiCloud from working so in practice it’s not any different than disabling OTP for a typical user. Non-prefixed OTP’s can have uses in enterprise scenarios where you use custom private keys but not with YubiCloud.
Platforms also need to stay away from YubiCloud OTP mode. It creates too strong signals for the user and easy to be mistaken with U2F. Support U2F mode only and push for its adoption. If you need to support 2FA, use “Google Authenticator” flow instead which is not susceptible to that “accidental touch” or “identity leak” problem.
As a final note, YubiKeys are versatile and secure devices. I’m using a bunch of them and very happy with the experience so far. OTP has legitimate and secure uses too. And incriminating yourself by an accidental touch seem far off. But as people start adopting it in larger numbers we are inevitably entering the zone of “dangerous defaults”. As it happens we all need to be conscious about problems with OTP and push for more widespread adoption of U2F.
Update: I was notified that the basic U2F model of YubiKey has no OTP mode. Edited the article accordingly. You don’t need to worry if you have that model.