Saturday, September 11, 2021

Yubikey - Adding security key to your account

This post is focused on adding your Yubikey as a hardware token / security key to your account.  It does not cover setting up other options.  If you are looking to setup Yubio Authenticator, check out my other post ( https://bigboystoys13.blogspot.com/2021/09/yubikey-using-yubico-authenticator.html ).  If you don't have a Yubikey yet, you might want to check out this post instead ( https://bigboystoys13.blogspot.com/2021/09/yubikeys-quick-review.html ).

Before you start setting up accounts:

- Make a list of the accounts you want to setup multi-factor authentication (MFA) on.  It helps to keep track in case you lose your Yubikey or need to add a backup.
- If you have more than one hardware token, have them all ready.
- Give each key a unique nickname, in case you need to remove/disable it later.  If the devices have different colors or are different models that makes it easy.  If you have two of the same device, maybe use part of the serial # or use stickers to tell them apart.  The nickname can be based on where you store it (Safe, Keychain) whatever makes sense to you even a year or two later.

Steps to setup the hardware tokens.  These basic steps work with many services ( Google, Microsoft, Facebook, Twitter, and Yahoo for example ).

1) Go into your account settings and then security settings.  Here are some sample steps for various sites:

- Google: From Gmail, click your icon in the top right and choose "Manage your Google Account".  In there click "Security" and go to "2-Step Verification".
- Microsoft. From www.microsoft.com, click your icon in the top right and then choose "My Microsoft Account".  Then click "Security" and "additional security options".
- Facebook: Go to the "Settings & Privacy" menu in the top right, then "Settings".  Next go to "Security and Login" and look for the "Two-Factor Authentication" section.

If you can't find the option search the support/help area of your page or contact support for the site.

2) Find the option to add a security key / add a new way to sign in and add your token.  Do this with each token you have.

3) Look at other backup options, especially if you only have one key.  Examples:

- Authenticator app: There are many options - Google and Microsoft have an option, so does Yubico itself and many other options are out there.  This is a good option, but remember if you lose your phone you lose the app with it.  If you plan to keep your key with you that is a problem (since you could lose both items at the same time), but if you plan to keep the token in a safe using the Authenticator app on your phone might be ok.  You could setup Yubico Authenticator on your Yubikey, but the whole point is that you want a backup if you lose Yubikey.  Yubico Authenticator on a token isn't a backup if it is on the same exact token.

- Backup codes: One time use codes that you can put somewhere, maybe print them and put them in a safe.  However don't put it in the same safe you have a spare Yubikey.

4) This might be a good time to disable SMS/text messages/voice calls as an option.  If you Google search "is SMS MFA secure" you will see many articles addressing issues with SMS, and since you have a hardware token as better option might as well get rid of the weaker link.  If you felt SMS was good enough, you probably wouldn't be using or researching a hardware token.

No comments:

Post a Comment