I am always looking for ways to improve my online security. I had briefly looked into hardware security keys for a few times but wasn’t sure if I needed one. After receiving a discount from Github’s Student Developer Pack, I decided to buy a Yubikey NEO and see if I can integrate it into my workflow. It turned out that I really enjoyed the process of setting it up and it improved various aspects of my security solution.
I use the command-line password manager
pass. It encrypts passwords
gpg and integrates with
git for history and syncing. Following this
guide on key management, my
gpg master key is stored offline, and an
encryption subkey, protected by a strong passphrase, is copied onto both my
desktop and laptop. On the rare occasion that I need to access a password on my
phone, I use an app to
ssh into my desktop, type out the complicated
passphrase, and manually copy the output of
pass. I also use Google
Authenticator for 2-factor authentication (2fa) on a number of sites.
I use three distinct functionalities of the Yubikey NEO.
I use the U2F protocol for the few sites that support it (e.g. Google and Github). This means that instead of using a dynamic code generated by Google Authenticator as the second factor during the login process, I simply plug in the Yubikey and tap the gold plate. It is super easy to set up.
For the rest of the sites that I used Google Authenticator for, I now use Yubico Authenticator with TOTP secrets stored in the NEO’s OATH applet. Everytime I need a two-factor code, I tap the NEO on the back of my phone (NFC-enabled), and Yubico Authenticator pops up with a set of codes. This has the major advantage that I don’t need to reconfigure 2fa for every site every time I switch to a new phone. It’s also more secure to not store the secrets on a connected device.
For my password manager, I now store a set of
gpg subkeys in the NEO
and use the Yubikey as an OpenPGP smartcard. This means that I don’t need to
copy my encryption subkey onto multiple computers anymore; it always lives
inside the Yubikey, which I always carry with me. In fact, the
signing/encryption operations are performed by the Yubikey itself, so the
secret keys are never even transferred into computer memory. I also found
out that the Android OpenKeychain app supports NFC smartcards, and
it works beautifully together with Password Store (an Android
pass) so I can now have a local copy of my password manager
on my phone and decrypt passwords when needed by tapping the NEO on the back. I
like how this is both more secure and more convenient than my previous