Passwordless Logins with Yubikey

True security is using both &quot;something you know&quot; and &quot;something you have&quot;. Something you have can be stolen, and something you know can be tricked out of you. But stealing <i>both</i> is difficult and far more obvious.<p>To login to my work VPN, the password is &quot;&lt;my pin&gt;&lt;output from the yubikey&gt;&quot;. Our SSO system requires both once per day as well.<p>It&#x27;s a great system and I highly recommend it.

Alternate title: guide to changing your single factor authentication from &quot;something you know&quot; to &quot;something you have.&quot;

For SSH, use native U2F&#x2F;FIDO2 OpenSSH support instead:<p><a href="https:&#x2F;&#x2F;www.openssh.com&#x2F;txt&#x2F;release-8.2" rel="nofollow">https:&#x2F;&#x2F;www.openssh.com&#x2F;txt&#x2F;release-8.2</a><p><a href="https:&#x2F;&#x2F;cryptsus.com&#x2F;blog&#x2F;how-to-configure-openssh-with-yubikey-security-keys-u2f-otp-authentication-ed25519-sk-ecdsa-sk-on-ubuntu-18.04.html" rel="nofollow">https:&#x2F;&#x2F;cryptsus.com&#x2F;blog&#x2F;how-to-configure-openssh-with-yubi...</a><p>TOTP with a PAM module is insecure since it&#x27;s not cryptographically tied to the session like public key auth and can be phished. The author&#x27;s suggestion to use it for passwordless login is dangerous when applied to SSH sessions!

Making a decision on what to use for authentication should rely on a risk assessment. Of course normal people will not do it, but at least what we provide them should meet their needs.<p>99.7% of people will get their password stolen because they use only one on each service. It will get stolen on some shady site, and then checked against the same email on gmail.com.<p>The remaining 0.3% of the users will have their laptop stolen, together with the key. The thief will the re-image the laptop to sell it and throw the key away.<p>Finally, 1723 geeks in the world need to make sure they use 8 FA so they will be fine.<p>There are also enterprise users (35.8%) who will get something from their company which marry a PIN to an OTP and they will be fine.<p>In other words: yay yubikey! instead of password.<p>Note: the percentages not only are invented but do not add up to 100%. The first one is probably very, very underestimated.

This is a complete aside, but last year I purchased a keychain YubiKey 5, that supported USB-C and Lightning.<p>I attached it to my key ring, and within about 8 weeks, the device was destroyed through the general wear and tear of being in my pocket. The plastic started chipping at one end of the device, and before the long the entire plastic shell shattered off completely exposing the board underneath.<p>Was a pretty big bummer, and kept me with going back to Authy. Are there any other hardware key&#x2F;tokens that are maybe a bit more rugged?

TouchID on MacBooks can also be used to authenticate the user in terminal, mostly for sudo.<p>The only annoying thing about it is that &quot;&#x2F;etc&#x2F;pam.d&#x2F;sudo&quot; gets overwritten on every macOS system upgrade.<p><a href="https:&#x2F;&#x2F;apple.stackexchange.com&#x2F;questions&#x2F;259093&#x2F;can-touch-id-for-the-mac-touch-bar-authenticate-sudo-users-and-admin-privileges" rel="nofollow">https:&#x2F;&#x2F;apple.stackexchange.com&#x2F;questions&#x2F;259093&#x2F;can-touch-i...</a>

Tried this long ago when we got our first Yubico U2F keys. Cool, but ultimately unwise if not paired with a password or a decent-length pin because without that second factor you&#x27;re back to a single point of (security) failure. Also, as pointed out by @deehouie, at present the pam changes required will complicate things where a machine is shared by multiple users (unless, of course, you just leave the key plugged in all the time: at which point... well, you know).

&gt; Note: For passwordless logins the user will need to press the Enter with their Yubikey plugged in to unlock their screen.<p>You can use the &quot;yubikey personalization tool&quot; to change the format of the yubico otp that it emits, including appending a enter key. This is the way you&#x27;d want it set up for that, with the &quot;tab&quot;s unselected and the &quot;enter&quot; selected: <a href="https:&#x2F;&#x2F;cdn.zappy.app&#x2F;791c95f1c203ef39fb71ea2809aa82a6.png" rel="nofollow">https:&#x2F;&#x2F;cdn.zappy.app&#x2F;791c95f1c203ef39fb71ea2809aa82a6.png</a>

Any way to do it with an older type of USB token? Like Safenet eTokens?

If you have nothing better to do:<p>1. Get a smart ring like OMNI<p>2. Shove a USB hub and a contactless reader into your mouse, so if on the next poll your hand with a ring isn&#x27;t on it - lock it all<p>Seriously though, if someone would start selling mice with contactless readers built-in, I&#x27;d buy a few.

Why is it a password first then two factor authentication authorization then the other way around?

I feel like these devices generally give the illusion of security while really giving an adversary a single device to target. As another user had suggested, using udev rules and some device encryption would likely be a much better option... if not as an alternative, at least in conjunction with something like this.

Cool. Now where&#x27;s the guide to embed NFC enabled yubikeys in your hand?

I just bought two yubikeys; a month later, I returned both. Here is a (major) problem. On a ubuntu box, I installed `libpam-u2f` and set it up for one user account. Turns out it breaks all other user accounts on this ubuntu box, meaning no other user could log in without the key. I contacted their support. No solution.