Why you should use Yubico
Authenticator for your Yubikey

Aaron Young
2 min readSep 27, 2021

--

Yubikey 5 series

Let us start with, what are the Yubikeys pictured above? Yubikey is a form of a physical security key for authenticating with websites and apps.

Security keys are the strongest practical authenticators today. They are simple to understand, durable, and portable. They can work cross-platform and can be used on any number of websites that support them. -Sami Laine

Those of us who have the Yubikey have decided to use it to enhance our security with websites. The key, among many features, of which the most widely used, is its ability to authenticate using the WebAuthn protocol and FIDO/U2F. It additionally, and less widely used, can be used as a Time-based One Time Password (TOTP) authenticator. Most people know this as the six-digit code that authentication apps generate, such as Google Authenticator, Microsoft Authenticator, and Authy.

There are a few problems with using these apps. Firstly, once someone gains access to your phone, they have the 2nd factor, access to your authenticator. Secondly, the secrets are not secrets and can be retrieved (if your phone is being hacked). This is evidenced by the fact that we can transfer both Microsoft Authenticator secrets and Google Authenticator to a new device. With Authy, you don’t own your secrets; it is stored within the cloud and synced with each device. Lastly, with Google and Microsoft authenticators, if you lose your phone, you are out of luck typically unless you have your backup codes.

Now to the main point regarding Yubico Authenticator. It, like Authy, Microsoft & Google authenticators, will generate the TOTPs needed for sites. Unlike Microsoft and Google, the secret isn’t stored on the phone but rather on your Yubikey. Additionally, unlike Google and Microsoft authenticators, the secret cannot be retrieved from the Yubikey if it is lost or stolen. But like Authy, you can connect the key to practically any device (they support Windows, macOS, Linux, iOS, and Android) and have your security codes available. But what about backing it up? That’s a non-issue; as you acquire new TOTPs, just set up two or more keys with the given barcode.

My point, if you have a Yubikey, and are serious about securing your sites, make your TOTPs just as secure as your WebAuthn and FIDO/U2F logins by moving the secrets to the hardware token. Lastly, if you leave the key regularity in your computer or laptop, you can set up the key so that it requires a physical touch to retrieve your 6-digit code. This will prevent anyone who has remote access to your device from obtaining the code as you physically need to be present.

--

--

No responses yet