UBIkey Neo configuration suggestion
March 24, 2017
In order to reduce my risk of being phished or otherwise have my account(s) hacked, I decided to get a Yubikey for my personal laptop. We use them at work, work is paranoid, if it’s good enough for them it is good enough for me.
So I bought a Nano4 and a NEO. I want the Nano4 so that it just stays plugged in by default, and the NEO has NFC so it can talk to my phone and tablet if I am authenticating from there. Both of these come with way more capabilities than I need, but they are the only two keys that can stay plugged in and support NFC.
Those way more capabilities are a problem because they’re all enabled by default. One authentication method that I’m not using is OTP — long press on the Nano4, and it burps a string of characters as if I had typed them. “Long Press” is what you get if your hand rests over your USB port, if it touches your leg, etc. Yubikey made a mistake here; almost certainly, the new customers for this gadget will be people less technical than me, and (more alarming) less technical than the tech support guys at work who hand these out (preconfigured) for our use, who also didn’t have an immediate answer to this question. Nobody’s going to want OTP configured, it’s incredibly annoying.
But, here you are, like me, you have your shiny new Nano4 and it does this annoying thing. How to fix? You need the YubiKey NEO Manager.
It has a window that looks like this, when you start it with your new YubiKey (NEO or Nano4) the “Change connection mode” button will include “OTP”. It’s pretty obvious from here: click the Change button, deselect OTP from the options presented, follow instructions (the key has to be removed and inserted) and you will be done and none of the U2F associations you’ve already made will be bothered (i.e., it will work exactly the same except that the annoying OTP typing burps will be gone).
If you don’t need NFC, or don’t need the key always resident in the laptop (that may have been a mistake; we use them several times daily at work, but I don’t for my personal account) you can save money and avoid this by instead buying a FIDO U2F Security Key. U2F is what Dropbox and Gmail use. I’m still working on figuring out how to not use text messages to my phone, since some of these services require both phone (which can be socially hacked from your provider, though that is well beyond normal phishing). One choice for some accounts is Google Authenticator (for a Mac); to use it requires physical access to the phone, not the account.
I would add, that at this point I feel a need to draw myself a graph of services and authentication methods and password managers (that can store data in the cloud on these services) to be sure that my access protection is “just right” — not so weak that it’s trivially hacked by phishing, not so strong that if I lose a single phone or key I am screwed.
Other stuff I use to help secure my laptop: Little Snitch (intercepts network connections) and Little Flocker (intercepts file I/O — i.e., ransomware). These tools are very annoying for normal people.