The Uneven World of Two-Factor Authentication

I’d like to say I began to adopt two-factor authentication pretty early. I’ve had it enabled for Google for a long time, I jumped on it when Amazon and Dropbox made it available, I enjoy it on several of my banking accounts, of course.

At work, I got a Yubikey a few months ago, a hardware token that is used in combination with a password. It’s the “have” part of the “something you know, something you have, and something you are” philosophy of protecting secrets. A fingerprint or iris scan would be “something you are.”

With all of the recent hacks and ransomware attacks, I decided to beef up security at home as well. I ordered two Yubikeys, a primary one and one to lock away as a backup. As primary Yubikey I chose the Yubikey NEO, which has NFC and can be used with a phone. As backup, I chose the cheap Yubikey FIDO U2F key.

Unfortunately, the results are a mixed bag.

Yubikey for LastPass requires LastPass Premium ($12 a year, plus taxes). I signed up, then found out that LastPass Premium does not seem to support the cheap Yubikey FIDO U2F key. So I couldn’t use that one as a backup for LastPass.

KeePass on Windows has a plug-in that allows a Yubikey to provide one-time pads (OTPs). Again, this doesn’t work on the cheapest key. Also, it’s a bit cumbersome, since it requires at least three presses of the Yubikey button, for three separate OTPs. Initially, I had also configured this for 2nd slot on the Yubikey, which meant I had to hold the button for three seconds, three times (the 2nd slot is triggered by a 3-second press; the first slot is triggered by a simple press of the button).

I also used KeePassDroid on my phone, and that app plain and simply does not support OTPs at all. I could have programmed the NEO for a static password, though.

There is a newer app, KeePass2Android, that does apparently support getting OTPs from a Yubikey NEO, but I haven’t tried it yet.

LastPass on Android does support the NEO, but with NFC, you cannot switch which slot is going to be used. By default, it’s always slot 1. That means I can’t use NFC for both LastPass and KeePass2Android, because both would be using the same slot, and that doesn’t work.

So, I have hardware two-factor authentication in a bunch of places now, but I’m not sure I’ve added that much security. I strengthened some of my most important passwords, though. Maybe that “something you know” part is still most important after all.


About Mathias

Software development engineer. Principal developer of DrJava. Recent Ph.D. graduate from the Department of Computer Science at Rice University.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply