TL:DR - we’re asking all CCs to use a Yubikey (or other similar hardware security key) as 2FA on their Status Google, LastPass, and GitHub accounts.
All of you will be using 2FA on your accounts. We’d like to step up security and use hardware as the second authentication method. As such, please obtain and use a Yubikey to secure your Status accounts by end of July 2019.
Getting a Yubikey
- Buy online here
- Find a local reseller here
- If you don’t manage to find a Yubikey, ping @ceri
- If you have a Yubikey and want to check it’s genuine, check here
Add your Yubikey as 2FA, and remove SMS, using the following guides:
- This note from Corey has more info on which Yubikey to purchase.
- Why do this? - https://www.csoonline.com/article/3399858/phishing-attacks-that-bypass-2-factor-authentication-are-now-easier-to-execute.html
- More about sim swapping - https://medium.com/mycrypto/what-to-do-when-sim-swapping-happens-to-you-1367f296ef4d
- More about modern 2FA and how it should be used - https://blog.trailofbits.com/2019/06/20/getting-2fa-right-in-2019/
Are you saying that we should switch off app authentication?
- App authentication (e.g. Google authenticator) is fine, but Yubikey is preferable where available. As a minimum, we’re asking you to use Yubikey on your Google, LP, and GH accounts. You can use it for additional accounts if you wish.
- You should never use SMS as a second form of authentication, due to the risk of SIM swapping attack.
- Note: Google Fi is exempt from SIM swapping for now, but that puts the pressure on your Google account security.
Will this cause an issue of people getting locked out of accounts? What happens if Yubikeys are lost?
- Please review your security settings to ensure you’ve registered a backup option, e.g. writing down backup codes on paper and storing them securely.
- In case you get locked out of an account, please ping People Ops.
Does it have to be a Yubikey?
- Not necessarily, if you have an alternative preferred hardware key for authentication, please let
[email protected]know and we can validate if it meets the necessary specs.
Can I expense my Yubikey?
- Yes, please submit it through Expensify. Anything more expensive than a standard Yubikey (~$45) should be run by People Ops in advance.
I have other questions
- Drop by #security-helpdesk for support.