Wednesday, February 6, 2013

Changing over to two factor hardware authentication.




Over the past two years I have become very concerned about security.

First of all a disclaimer. I know just enough about security to be worried. I am not a security expert but I do understand enough to understand some Bruce Schneier articles which is probably enough to qualify me to play a security expert on TV.

I was one of the people whose Dropbox accounts was hacked and attempts were made on several of my Gmail accounts as well as my bank account immediately afterwards. Luckily I do not use even vaguely similar passwords on the different systems.
 
In addition, I am seeing a huge increase in attempts on my home system through the firewall. My personal development server at home is accessible only through the SSH port and that port has shown a 173% increase in attempts in the last year alone.
 
On that server are several hundred gigabytes of scans of various documents and photographs on the family document management system. Of course all of this is backed up to the cloud but I would rather deal with disaster prevention than disaster recovery.
 
At work I am dealing with how to manage a large number (on the close order of 100) of uername/password/SSH Key/PGP combinations for various servers (development, testing, and production) in a way that allows me 24/7 access in case of emergencies without compromising security.

When it comes to security I have become as nervous as one of our forebears on the African savanna hearing a rustle in the tall grasses. I know that it may just be the breeze and it may mean nothing, but our ancestorss have already demonstrated the value of panicking early and often. The ones that did lived to contribute to the gene pool. In this area, false positives are a survival feature.
 
As a result I have settled upon setting up two factor authentication based on something known (a password) and something possessed (a hardware key).

Any convenient hardware key alone will typically be subject to man in the middle attacks so to make that more difficult I was looking for something time-based like a RSA SecurId or something that generated a one-time password or OTP.

LastPass 


The first part of my solution is LastPass. LastPass is a online service that stores user names and passwords (along with other secure data pieces of data). The data is stored in their servers as a single encrypted block and that block of data is kept in sync as a block with your local system. In other words it is never encrypted or decrypted except on your local machine. Your passwords don't pass over the wire. They don't have the password, you do.  All encryption and decryption is done locally (usually via a browser plugin) or a mobile application.
 
This is allowed me to change over to using automatically generated passwords that are very large and impossible for me to remember. By using LastPass I have drastically decreased the cognitive burden of keeping track of passwords. Though, of course I still have to enter them into LastPass but the browser plug-in makes that very doable. In addition, I don't have access to them when the Internet  is down.  Of course, if it is, most of the systems I need to connect with are inaccessible anyway.

On the plus side it has mobile apps for both the Android and iPad, and the cost for the premium package that is $12 a year.
  
The key downside to this is that it puts a premium on protecting the single password for LastPass. And it is still only one factor authentication (i.e. you only need the password).

Enter the Yubikey. 

It is sold by Yubico  and is a hardware key that provides two factor authentication. It is significantly slimmer (2mm) than a standard USB thumb drive and acts as a USB keyboard. Is used by inserting the key into a USB port and then pressing a button on the key that causes it to generate a one-time password (OTP)  that can then be validated against the Yubico security servers.
 
The standard keys are $25.00 apiece and can be purchased in larger numbers such as 10 for $200 or 50 for $750.
 
There are more advanced keys that do cooler things. More about the various "coolnesses" in a moment.
 
LastPass has built-in support for Yubikeys and you can register up to 5 Yubikeys with your LastPass account. In That means that if for some reason you lose one of the keys, you can simply deregister it from your LastPass account and use your backup. In addition you can configure what types of systems require the Yubikey (mobile and desktop and so on) versus those that you don't want to use it on.

I am currently using a Yubikey on my android phone and all desktop systems, but not my venerable original iPad.
 
Using it is simple. I log into the LastPass count on my system using the browser plug-in (Available for Chrome, Firefox, Safari, and IE).




After the browser plug-in has validated my local password it then asks me to enter the Yubikey one-time password.
 

I put the key into the USB port and press a button. And I am now authenticated until my LastPass  authentication expires normally ( I have it set differently on different systems).

For using it with my Android phone I use the NEO NFC (Near Field Communication) feature to simply hold the key to the back of my phone and it automatically brings up LastPass and asks me for my password and logs me in.

I have purchased 2 NEOs and a standard key and after two weeks I am very happy with the result. The biggest con to all of this is building the habit of always carrying my hardware key with you. But that is a small price to pay to drastically decrease my exposure to security breaches.

More on the Yubikey coolness 


The Yubikey comes in several different forms: Standard, NEO, Nano, VIP

A quick summary of what they're good for is below:


  • Standard - One-time password support and an additional "slot" for multiple configurations such as OATH. 
  • NEO - Same as the Standard with the addition of NFC to allow authentication to those mobile devices that support it. Also has other cool features that I don't yet understand.
  • Nano - Same as the Standard but ultra-tiny with additional support for the newer iPad camera docking station (This appears to be the only way to use the key with the iPad)
  • VIP - Same as Standard with additional features that allow it to be used with Symantec VIP and PayPal.


As far as software support is concerned there are login authentication solutions for Windows and Linux (I have done nothing to test the Apple based OSes). In addition they provide an API for writing clients that connect their services.

As a special treat for me, they publish notes on how to use the Linux PAM (Pluggable authentication module) with SSH so that the hardware key is required in order to SSH into servers.

I'm going to be trying to set that up next week.

General usability

The LastPass browser plug-ins and integration with Yubikeys is very usable.

The only place where I have bumped up against usability is really in the documentation for the additional Yubikey integrations ( such as the Linux PAM and SSH integration).  They do seem intent on making it easy for third-party application support Yubikey authentication so I expect that will shift over time.

Next comes the real challenge: enrolling my wife and boys into using hardware keys.