Saturday, October 10, 2015

Adding More Protection Using Yubico Key

Last week, i saw an interesting offer by Github partnering with Yubico to offer a discounted prize for Yubico products only by verifying via Github. These are the deals:
  • While supplies last, GitHub users can purchase special edition U2F Security Keys for $5 plus shipping and handling (regular price $18; 5,000 special edition keys available).
  • After the special keys are gone, all GitHub users are eligible for a 20% discount on U2F-certified YubiKeys, for a limited time.
  • In addition, all students who are eligible for the Student Developer Pack will receive a 20% discount on any U2F-certified YubiKey.
I have enabled 2FA (Two Factor Authentication) to my email accounts for some time, but i was also interested for Yubico products for a long time, so i decided to take this chance to buy one. Surprisingly shocking to see that the shipping was way more expensive than the product itself (they uses DHL Express), but at the end i bought it anyway. I kinda regret it because i should buy more items considering i'm paying for the same price for the shipping and handling. In short, 3 days later the item arrived at my home after taking a long journey from UK, Germany, Singapore, Jakarta, and finally my hometown, Jogja. Never expected that it was so small and there was only one paper of invoice that came along with it.

I plug the device to my USB port and my Slackware detected it properly. This is the output in dmesg:
usb 2-8: USB disconnect, device number 4
usb 2-8: new full-speed USB device number 5 using ohci-pci
usb 2-8: New USB device found, idVendor=1050, idProduct=0120
usb 2-8: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 2-8: Product: Security Key by Yubico
usb 2-8: Manufacturer: Yubico
hid-generic 0003:1050:0120.0005: hiddev0,hidraw3: USB HID v1.10 Device [Yubico Security Key by Yubico] on usb-0000:00:04.0-8/input0
Next thing i tried to activate the 2FA authentication in GitHub. GitHub provides two methods: Application or SMS. I choose to use the application, which is Google Authenticator. It's available on Google Play (Android) or Apple AppStore (Apple iOS). After 2FA is activated, i tried to register my new device, but i ended with an error. I tried to follow all the steps carefully, but i couldn't get it done. I also tried to register it on GMail and it failed there too. After trying for some time, i decided to stop for a while and get some rest (it's past midnight).

This weekend (Saturday), after pushing the public update for SBo project, i boot into my Windows and tried the same thing: register the device in GitHub and GMail. It all worked without any problem.

So i searched Google for more references and i found some interesting article about udev rules for this Yubico key. There are two different articles about this rules and i tried to applied them all, but it failed too, until this evening i found a discussion in ArchLinux's Forum. It gave me an idea about the rules and i finally applied the changes and voila, it's now working properly under my Linux machine.

So the problem is all about permission.I confirmed it by creating a Slackware package for libu2f-host (submitted to SBo as well) and test the C-based API library. First, i tried using normal account and it failed because it couldn't find the device. Next i tried with root account and it worked fine. I got the results as i expected, so i guess it's just a matter of permission. To solve it, make a new file called 90-yubikey.rules and place it in /etc/udev/rules.d/90-yubikey.rules with these content:
# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.

ACTION=="add|change", SUBSYSTEM=="hidraw", \
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", \
  MODE="0660", GROUP="plugdev"
and run udevadm trigger. You need to make sure your device idProduct is listed in the rules file. See the bold line in the dmesg output above. That's how you get the idVendor and idProduct values. With this in place, this new device is activated and ready to be used

Here are some screenshots when trying to login to GMail and GitHub after the new setting is used:

They provice fallback alternatives just in case you forgot to bring your device. Please make sure you have the backup recovery code ready just in case all alternatives failed.

I wish Yubico can add Firefox to the supported browser soon as it's my default browser.

There's one minor issue left, which is to use Yubico with iPad. According to this article and this entry in FAQ, i can use Yubico key with my iPad 3, however the device doesn't blink when i point my browser to the demo site. Anyway, that's fine for now.