Hardware Authentication and Security tokens, like the YubiKey, are a great advance in IT Security; they’re accessibility for individuals and low price point makes it easy to secure your IT services, online accounts, and more using a hardware secure-element that is nearly immune to private key leak or theft.
I’ve been using a YubiKey NEO for nearly a month now and I use it daily, on both my MacBook and my mobile (via NFC). It’s smart-card (PIV/CCID) element has three keys on it, a signing key, encryption key, and authentication key which I use for code, email, and git commit signing, as well as secure-shell (SSH) authentication, and more.
The FIDO U2F component also integrates tightly with my digital world, acting as a second (or in some cases third) factor of authentication for all of my online accounts which support it (right now that’s GitHub, Google, and DropBox to name a few). In combination with the OTP modes available, the YubiKey is very powerful bit of kit!
Crush-Proof, Not Dan-Proof
Before I go on, don’t let me put you off – YubiKey’s are awesome! I’m sure alternatives are too, but the YubiKey, and Yubico as whole seriously rocks – read on to find out why).
So there I am, finishing some changes to a large (and unfortunately proprietary) project. I always sign my git commits and outgoing mail, so I plug-in my YubiKey NEO, start the GPG-Agent service, and give my code a quick once-over before committing it.
Sweet! Code looks good, I’ll just grab a drink and then this commit is good to go!
This quickly becomes the story of how I destroyed my YubiKey Neo. I broke the unbreakable.
Nothing is Dan-Proof, something which has been proven time and again.
As I placed my MacBook on the seat of the sofa and began to get up, it slid off the edge, falling only a short distance onto its side. As my luck would have it, that side is the side which I just connected my YubiKey.
Mistakes were made!
It doesn’t land too heavily, but it does land with a chilling crunch sound; my heart sank. I picked the MacBook up and thankfully the machine was okay, but sure enough the crunch had come from my new tech best friend – My YubiKey was now set for authenticating around corners (or not authenticating at all – the PCB was a clean cut-off, breaking both the USB data traces and the NFC antenna traces).
Ouch! My YubiKey is well and truly broken. There’s a silver lining here,I took the time to back up my GPG private-keys on an air-gapped machine before moving them to the key, so all was not lost.
Yubico Support (is Awesome)
So I need a new one, and fast. I sat back down and hammered out a quick (and polite) email to Yubico; they do claim that the YubiKey is crush-proof and impact-resistant after all!
I knew the device was in warranty, but I didn’t know what to expect. Sure enough not even half an hour later I had a positive response from Yubico, explaining the rarity of a broken YubiKey, and offering me an immediate replacement under warranty – no questions asked.
At this point, real Kudos to Yubico, I wasn’t expecting such a positive reply and so quickly – They really do have top-class customer support.
Needless to say my replacement is on its way only a day later, and YubiKeys are (of course) still awesome! I’ll be a little more careful with this one; lesson learned! After being so impressed with the device, and even more impressed with the customer support, we’re now rolling them out at Gambit Nash to all staff who can utilise them! (Secure all the things!)
TL;DR: Get a YubiKey (here on Amazon UK), Love it and care for it (Don’t let it be “Danned“), Get Set up with GPG (How: Win / Mac), and start signing your emails and git commits (Now supported on GitHub too)!
Tell your friends and colleagues to get them too, and grab my Public Key for your GPG Key chain!