[Core Contributors] Please use a Yubikey for 2FA

core-contributors
security
yubikey
2fa

#1

TL:DR - we’re asking all CCs to use a Yubikey (or other similar hardware security key) as 2FA on their Status Google, LastPass, and GitHub accounts.

Background

All of you will be using 2FA on your accounts. We’d like to step up security and use hardware as the second authentication method. As such, please obtain and use a Yubikey to secure your Status accounts by end of July 2019.

Getting a Yubikey

  • Buy online here
  • Find a local reseller here
  • If you don’t manage to find a Yubikey, ping @ceri
  • If you have a Yubikey and want to check it’s genuine, check here

Which accounts?

Add your Yubikey as 2FA, and remove SMS, using the following guides:

More info

FAQ

Are you saying that we should switch off app authentication?

  • App authentication (e.g. Google authenticator) is fine, but Yubikey is preferable where available. As a minimum, we’re asking you to use Yubikey on your Google, LP, and GH accounts. You can use it for additional accounts if you wish.
  • You should never use SMS as a second form of authentication, due to the risk of SIM swapping attack.
    • Note: Google Fi is exempt from SIM swapping for now, but that puts the pressure on your Google account security.

Will this cause an issue of people getting locked out of accounts? What happens if Yubikeys are lost?

  • Please review your security settings to ensure you’ve registered a backup option, e.g. writing down backup codes on paper and storing them securely.
  • In case you get locked out of an account, please ping People Ops.

Does it have to be a Yubikey?

  • Not necessarily, if you have an alternative preferred hardware key for authentication, please let [email protected] know and we can validate if it meets the necessary specs.

Can I expense my Yubikey?

  • Yes, please submit it through Expensify. Anything more expensive than a standard Yubikey (~$45) should be run by People Ops in advance.

I have other questions

  • Drop by #security-helpdesk for support.

Thanks!


#2

This despite recent issues? https://www.google.com/amp/s/www.theregister.co.uk/AMP/2018/06/18/yubico_webusb_google_bounty/ (also https://www.google.com/amp/s/www.howtogeek.com/425037/hardware-security-keys-keep-getting-recalled-are-they-safe/amp)


#3

FWIW, both Ledger and Trezor can be used as U2F hardware keys - if you have a spare one lying around, that should work in a similar way (? ping @petty) -

it’s slightly quirky though because you have to login to it with pin, yubi might be more convenient.


#4

Yes, despite these issues. Don’t get a FIPs series key, and the issue with poor communication on the bug bounty isn’t something I’m concerned with here.

The difference between us using a hardware device and not relative to our stance on a muddy issue like that are two very different things. If a CC has any personal issue and would prefer not to use Yubikey, then let me know what they would prefer to use and it can be cleared.

Once again, the main point is using a hardware token that requires physical access by the bearer in order to access our most valuable resources.


#5

Both of these options do work, but do you want to be carrying around your hardware wallet that much?


#6

Well, not too different from carrying around a yubikey, assuming it’s a spare one.

There’s an analogue here that’s bothering me a bit though, that my phone is becoming an authentication hub for all kinds of things 2FA and TOTP becoming popular - losing it would be a mess that I actually have to think about in a way I haven’t had to before. Overloading a hardware wallet to perform different functions (economy / authentication / identity / kitties) is similar. Having to plan recovery is a bother.


#7

If that cold wallet has funds on it, then it is VERY different.

Yes, recovery of these 2FA devices is somewhat of a hassle, always print out one-time codes for login where you can.


#8

How to remove your phone as your 2FA in Google: https://notes.status.im/security-guide-remove-phone-from-google-account


#9

I tried to add Yubikey to my Status LastPass account but got this error message:

“This multifactor option requires LastPass Premium. Upgrade now


#10

This is due to our license expiry - should be fixed once renewed, will let you know when that happens!