I’ve been reading a lot of cyber-thriller novels recently, particularly the ones that involve security, malware, and cyber warfare. Even though the books I’ve read are fictional in nature, it does escape the mind that some of the storylines in these books actually exists and is already happening today. And if not, with the speed of technological advancement today, it’s only going to be a matter of time until we find these advancements misused by malicious hackers/actors, state-sponsored cyber warfare divisions, or even the technologically-advanced drug and online gambling cartel (ala Victor Bandeira’s Nosso Lugar in Rogue Code).
With these possibilities in mind, and looking forward in what could possibly lie ahead, I figured I’ll get smart and get Yubico’s Yubikey NEO. It’s not a security panacea by all means, but I don’t think it’s just security theatre either. I think these security keys add value not just in securing my personal online assets, but also in securing any digital assets at work.
I won’t highlight its features in this post as Yubico’s website above covers pretty much all there is to know about the Yubikey NEO. But I’ll point what I’m using it for below:
- PGP/GnuPG, as well as an SSH keystore.
- As a security key for sites like Google and Fastmail.
- Static password store.
There are also other features that I might be able to take advantage of but it’s not urgent for me at the moment. Those four are the major ones, and the ones that I’ve implemented/executed thus far.
As a PGP/GnuPG and SSH keystore, I’ve followed this excellent article. In fact, that will take you a long way in maximising your Yubikey especially if you use GPG and SSH in your day-to-day tasks (I do as a developer).
I’ve also replaced Google Authenticator with the Yubico Authenticator. The main difference is that Yubico’s authenticator, with the help of the Yubikey, generates the OTP on the key itself, rather than on your mobile phone. If there’s a malware on your phone targeting Google’s Authenticator, for example, there’s a possibility that the tokens generated by Google Authenticator may have been tampered with.
This only works in Google Chrome at the moment, but another great feature is the ability to plug-in the key to my USB port, tap the key, and get authenticated by sites like GMail and Fastmail. This helps with the non-repudiation of authorized access to these sites.
Lastly, the Yubikey also supports and can store a static password for up to 38 characters long. I haven’t used this feature myself but I can think of use-cases such as machine logins, and password manager logins with the help on a very long static password. Simply tap the key for three (3) seconds or longer and it will paste the key in the in-focus input field in your laptop or desktop computer.
In conclusion, the Yubikey does add value to securing your digital assets online, whether they be your email, bank, shopping site, having a yubikey as an extra line of defense against an increasingly dangerous web is truly worth the time and effort I’ve put into it.