Usability Study of Yubikeys

In the YouTube video below, Joshua Reynolds presents at the IEEE Symposium on Security and Privacy about a couple of usability studies he and others conducted testing the usability of configuring and using Yubico’s Yubikey two-factor authentication security keys.

The full usability study can be found on the IEEE website. From the study’s abstract,

Two-factor authentication (2FA) significantly improves the security of password-based authentication. Recently, there has been increased interest in Universal 2nd Factor (U2F) security keys-small hardware devices that require users to press a button on the security key to authenticate. To examine the usability of security keys in non-enterprise usage, we conducted two user studies of the YubiKey, a popular line of U2F security keys. The first study tasked 31 participants with configuring a Windows, Google, and Facebook account to authenticate using a YubiKey. This study revealed problems with setup instructions and workflow including users locking themselves out of their operating system or thinking they had successfully enabled 2FA when they had not. In contrast, the second study had 25 participants use a YubiKey in their daily lives over a period of four weeks, revealing that participants generally enjoyed the experience. Conducting both a laboratory and longitudinal study yielded insights into the usability of security keys that would not have been evident from either study in isolation. Based on our analysis, we recommend standardizing the setup process, enabling verification of success, allowing shared accounts, integrating with operating systems, and preventing lockouts.

Yubikey 4C Nano

I have Yubico’s FIDO key enabled on all the accounts I have that utilize it. I have two primary laptops I use most days, and I bought Yubikey 4 Nano keys for both of those.

But I ran into a bit of a problem when I decided to add a Chromebook as a secure, ultraportable device. I ended up buying an ASUS Chromebook that only had USB-C ports.

Fortunately, Yubikcorecently released a USB-C version of┬áthe Yubikey 4 Nano. It’s a bit expensive at $60, but it has a very low profile on the Chromebook and works without any issues.

Yubikey 4C Nano

Yubikey 4C Nano

Yubikey 4C Nano
Yubikey 4C Nano

My Nintendo Account Is Now Safer Than My Bank Account

On September 22, 2017, Nintendo released two-factor authentication for Nintendo accounts. The system uses Google’s 2FA system (so it would also work with the LastPass authenticator, which is what I generally use).

So at this point, my Nintendo account is more secure than my bank account. My bank doesn’t offer any form of routine 2FA, despite me constantly harassing them about adding it.

And really, even 2FA isn’t good enough when it comes to banking. There’s no reason banks and credit unions shouldn’t offer their customers the option of using U2F.

Google Authenticator Plugin for WordPress

Google Authenticator is a plugin for self-hosted WordPress installs that lets you require Google’s Two Factor Authentication application for access to WordPress.

I’m currently using it on this blog and have to enter a numerical code from the Google Authenticator on my phone very time I login to the admin area. The setup was trivial and it has worked like a charm.

The only drawback is that this renders your blog inaccessible from programs that are not set up to prompt you for a Google Authenticator code, such as the WordPress mobile apps for iOS and Android.

Man In The Middle Attacks Target World of Warcraft Accounts

As I mentioned previously, my World of Warcraft account got hacked back in February 2010. One of the things I did after wiping my computer and recovering my account was to add a Battle.net authenticator to my account to add Two Factor authentication. But, of course, even two factor authentication won’t stop a man in the middle attack, and apparently just such an exploit appeared in the wild targeted at World of Warcraft accounts.

To explain in the simplest way possible, instead of data being broadcast directly to Blizzard when trying to log in to your account, that data is being broadcast to a third party via this malware. This includes your authenticator code. Rather than you logging into your account, the hacker on the other end does so. They log into your account, clear out your characters, and move around virtual funds to fulfill orders from players buying gold. This method of circumvention has been theorized since the release of the key fobs, but it has only now started to actually happen.

Man in the middle attacks aren’t anything new, but what I do find fascinating is that World of Warcraft has become so popular that there are attacks that target just it. There are apparently, for example, viruses that lurk in your system and are extremely difficult to detect except when the World of Warcraft client is launched.

In my case, someone who managed to compromise my computer could have accessed any number of accounts that could have cost me a lot more than just the small amount of gold I lost from my WoW account. That a major focus of some folks is virtual heists from a game is yet more proof that we’re all living in a science fiction novel.