I honestly don't understand how a YubiKey is supposed to help me secure my accounts if I get locked out of my accounts when I lose it. I an trivially copy a keepass database anywhere and have dozens of backups. If I want to do the same with a YubiKey I first have to buy multiple YubiKeys and then I have to register each one on each site. This means they cannot be used as a primary authentication method because they always require a fallback option in case you want to reset your credentials because you lost your YubiKey. If I can't use the YubiKey to secure my E-Mail account then what's the point? I'll still need to use password based login and store that E-Mail password in a conventional password manager that I then backup a dozen times.
YubiKeys only seem to make sense in a corporate environment where you can always request a new YubiKey and reregister it based on your ID.
Well, if you have multiple yubikeys on each site, then it can be used as a primary authentication method - because if you lose yubikey A, then the emergency fallback is yubikey B which you can use to revoke the access of yubikey A and add yubikey C instead.
Or, you have a set of one-time codes for recovery. I have accounts with a lot of sites, and all the sites that support proper U2F did have one-time recovery code option, because that's the fallback system that makes a lot of sense together with hardware tokens. Yes, the sites that support only things like phone-based OTP usually don't bother, since their risk model anyway puts all the trust in the phone so they usually just have a phone-based fallback, e.g. SMS with all the security risks related to that.
Or, you initialize two yubikeys so that they're identical; so you use your primary key and store the backup key somewhere safely, this doesn't require you to register multiple keys at each site, so it's a bit more convenient but it makes revoking a lost key a much bigger pain.
I used to a pile of yubikeys like this (yubikey A, B, C) then I replaced them all with one OnlyKey. Each Yubikey only has 2 slots, each OnlyKey has 24 and it has a secure backup feature.
A lot of services, like GSuite and LastPass, allow you to register multiple hardware keys. The best bet is to register several of them with these sites, then put one or two offsite (e.g. in a safety deposit box) just in case.
Then, use GSuite to sign into other services (like Slack) wherever supported to minimize how often you need to do this.
Is Google Authenticator tied to your smartphone, to your account, or a combination of both? Can you transfer it to another smartphone? Is it being backupped automatically?
We're amongst a very technologically educated part of the population here, and honestly, I'm not sure about the scope of Google Authenticator. Quite sure that many aren't.
If you can extract the private key, you can transfer it to another phone or device.
On Android, AndOTP is open source (available on F-Droid) and allows encrypted backups. As for Google Authenticator, I don't think you can create backups.
With Authy, a Google Authenticator, on iOS the codes are backed up in iCloud and protected with a pass code. I’m not sure whether the pass code is used to actually encrypt things or just as a soft lock.
You load the login data to your key using the app, press a button on your OnlyKey and it types any or all of the following:
-URL to login page
-Username
-Password
-TOTP
The way two factor auth works is that you register your hardware key and you also get 10 one-time-usage recovery codes which you can use instead.
So, if you lose your YubiKey, you can still login 10 times using a recovery code. Presumably during those 10 times you either disable 2FA or register a new YubiKey.
I guess those recovery codes are the new security questions - yes theoretically they are there to recover your account, but in practice, you won't have them at hand unless you stored them in your password manager.
The whole idea of having a hardware token is to separate what's at hand. Having the recovery codes in the password manager seems like a bad idea. Google recommends printing them.
...oh yes, having your passwords printed out is such a great improvement. Considering how likely the "hacker" is to be a person sharing your household, you might as well put them on a post-it note and stick them to the screen.
Recovery codes go straight into the password manager, right next to my mother's maiden name, ASuTeil7quoongak2aeniVar.
...there are other 2fa methods that don't disable at least one "personal" factors, whether that's a password or using finger/face/whatever. Not that great against cops, but stands a chance against many abusers, recent exes and terrible flatmates. And the yubikey is, theoretically, worn on you. Are you going to carry around all the printouts?
I'm having a hard time figuring out what kind of scenarios you are securing against.
The recovery code, just like the hardware 2fa, does not work unless you know the password. So you want to secure against people that live with you, know your password and from whom you cannot hide anything anywhere?
The printout is the size of a business card. You could put it in your Bible as a booksign an nobody would find them. Or if you want you could rot13 them or something basic so they can't be used as-is.
Actually, what are you suggesting instead? I'm genuinely curious what flawless solution you found.
The 2fa has to provide something more than a password to be worthwhile. If it's easily defeated by growing through my copy of Capital then it's not worthwhile. Finally, I don't have a single set of recovery codes, I have at least a dozen by now. By using recovery codes you've turned a somewhat harsh but sometimes-useful security scheme (for situations where loss of access is preferable to 3rd party access) into security theatre. Not that it matters, most services will "restore access" if you answer questions not just your flatmates but even an average doxxer will be able to find out.
Also no, you're not genuinely curious, you're trying to waste someone else's time.
But nobody is forcing you to print or use your security codes. If you ignore then and your hardware key is broken/lost you are forever locked out. Which you mention is preferable, sometimes.
It's still a little better than security questions in that the layman's recovery codes won't be publicly available or easily guessable personal information.
I don't know about U2F specifically, but recovery codes are not generally a feature of 2FA.
Edit: And let me just add why I think this is relevant. Even though few people have dedicated hardware keys today, many 2FA schemes depend on being in possession of a particular phone. There are typically no backups and no recovery codes.
I don't think this would necessarily change if specialised key hardware was used more often. In fact, my business bank account and a broker I previously used both require hardware keys and do not provide recovery codes.
I assume your bank has a physical place you can go to in order to get another token and you have a proper business relationship with them and somebody will ID you.
But many other sites have no other alternatives to recover so the recovery codes are a nice solution.
Note that I dislike that my bank gives me their specific hardware token. I am not sure why I couldn't use a 'standard' Yubikey instead.
Good insight. Same goes for 2FA in general. If you lose the "second factor", you're done for, unless there's some backup. My bank pushes a phone-app-based authentication method that doesn't have any recovery or backup options outside of visiting a branch office. That's pretty secure in case of scams or theft, but I reinstalled my phone without thinking this autumn and got locked out of my bank account for months this winter.
This backup you speak of is also a feature of OnlyKey. By using a passphrase you can securely backup your OnlyKey. If you lose the key you can just restore from backup to a new key using the secure backup. With OnlyKey you don't have to worry about getting locked out if you lose your key.
You set one up with backup methods (backup key, TOTP and single-use codes) to avoid getting locked out. You can still get into accounts fine if the key is gone because of the backup methods, you just lose the extra layer of phishing protection.
How much would it cost to pay someone to "break open" my GMail account if I lost access to all my second factors? I'm guessing more than the ~$150 a locksmith would charge me to break into my house. Probably a number of zeroes at the end more.
I don't think Google charges anything as long as you can prove you're the owner.
But even in the physical world, how often do you lose your house or car keys? I can't remember if I've ever lost them for good and had to pay a locksmith. It just doesn't happen. I do have a spare of each key (or another type of key like a garage door opener) I'm case it does happen. Why does everyone bring up the problem of lost keys when it comes to computers? It's no t that big of a deal. I know I've lost or forgotten far more passwords than I have physical keys over the course of my life. Am I that different from the average person?
YubiKeys only seem to make sense in a corporate environment where you can always request a new YubiKey and reregister it based on your ID.