[Core Contributors] Please use a Yubikey for 2FA

ceri · June 27, 2019, 7:34am

TL:DR - we’re asking all CCs to use a Yubikey (or other similar hardware security key) as 2FA on their Status Google, LastPass, and GitHub accounts.

Background

All of you will be using 2FA on your accounts. We’d like to step up security and use hardware as the second authentication method. As such, please obtain and use a Yubikey to secure your Status accounts by end of July 2019.

Getting a Yubikey

Buy online here
Find a local reseller here
If you don’t manage to find a Yubikey, ping @ceri
If you have a Yubikey and want to check it’s genuine, check here

Which accounts?

Add your Yubikey as 2FA, and remove SMS, using the following guides:

More info

This note from Corey has more info on which Yubikey to purchase.
Why do this? - Phishing attacks that bypass 2-factor authentication are now easier to execute | CSO Online
More about sim swapping - The SIM Swapping Bible: What To Do When SIM-Swapping Happens To You | by CipherBlade | MyCrypto | Medium
More about modern 2FA and how it should be used - Getting 2FA Right in 2019 | Trail of Bits Blog

FAQ

Are you saying that we should switch off app authentication?

App authentication (e.g. Google authenticator) is fine, but Yubikey is preferable where available. As a minimum, we’re asking you to use Yubikey on your Google, LP, and GH accounts. You can use it for additional accounts if you wish.
You should never use SMS as a second form of authentication, due to the risk of SIM swapping attack.
- Note: Google Fi is exempt from SIM swapping for now, but that puts the pressure on your Google account security.

Will this cause an issue of people getting locked out of accounts? What happens if Yubikeys are lost?

Please review your security settings to ensure you’ve registered a backup option, e.g. writing down backup codes on paper and storing them securely.
In case you get locked out of an account, please ping People Ops.

Does it have to be a Yubikey?

Not necessarily, if you have an alternative preferred hardware key for authentication, please let [email protected] know and we can validate if it meets the necessary specs.

Can I expense my Yubikey?

Yes, please submit it through Expensify. Anything more expensive than a standard Yubikey (~$45) should be run by People Ops in advance.

I have other questions

Drop by #security-helpdesk for support.

–

Thanks!

Bruno · June 27, 2019, 9:33am

This despite recent issues? https://www.google.com/amp/s/www.theregister.co.uk/AMP/2018/06/18/yubico_webusb_google_bounty/ (also https://www.google.com/amp/s/www.howtogeek.com/425037/hardware-security-keys-keep-getting-recalled-are-they-safe/amp)

arnetheduck · June 27, 2019, 5:52pm

FWIW, both Ledger and Trezor can be used as U2F hardware keys - if you have a spare one lying around, that should work in a similar way (? ping @petty) -

it’s slightly quirky though because you have to login to it with pin, yubi might be more convenient.

petty · June 28, 2019, 7:49pm

Yes, despite these issues. Don’t get a FIPs series key, and the issue with poor communication on the bug bounty isn’t something I’m concerned with here.

The difference between us using a hardware device and not relative to our stance on a muddy issue like that are two very different things. If a CC has any personal issue and would prefer not to use Yubikey, then let me know what they would prefer to use and it can be cleared.

Once again, the main point is using a hardware token that requires physical access by the bearer in order to access our most valuable resources.

petty · June 28, 2019, 7:52pm

Both of these options do work, but do you want to be carrying around your hardware wallet that much?

arnetheduck · June 30, 2019, 5:28am

Well, not too different from carrying around a yubikey, assuming it’s a spare one.

There’s an analogue here that’s bothering me a bit though, that my phone is becoming an authentication hub for all kinds of things 2FA and TOTP becoming popular - losing it would be a mess that I actually have to think about in a way I haven’t had to before. Overloading a hardware wallet to perform different functions (economy / authentication / identity / kitties) is similar. Having to plan recovery is a bother.

petty · July 1, 2019, 2:53pm

If that cold wallet has funds on it, then it is VERY different.

Yes, recovery of these 2FA devices is somewhat of a hassle, always print out one-time codes for login where you can.

ceri · July 2, 2019, 3:23pm

How to remove your phone as your 2FA in Google: How to remove phone number from Google account completely - CodiMD

j12b · July 9, 2019, 2:20pm

I tried to add Yubikey to my Status LastPass account but got this error message:

“This multifactor option requires LastPass Premium. Upgrade now”

ceri · July 10, 2019, 4:52pm

This is due to our license expiry - should be fixed once renewed, will let you know when that happens!