Multi Factor Authentication:

We are going to specifically talk about “2FA” and skip the biometrics like TouchID. We don’t all have the new MacBooks with the touch bar.

Main Types of 2FA:

SMS: This sucks. If your phone number can be hijacked even briefly, they can gain control over your accounts. I really HATE Twitter and Facebook for NOT letting you kill SMS even if you enable stronger 2FA methods.

OTP (One Time Password): What we have been used to. Google Authentication, Facebook App, Duo Security, and 1Password.

Side Notes:

U2F (Universal Two Factor): Hardware key. Yubikey, some third party tokens, and if you are into bitcoin a couple of hardware wallets provide U2F compatibility.

https://www.yubico.com/2016/02/otp-vs-u2f-strong-to-stronger/ 

Two factor and common Mac User Services

Apple: SMS and Trusted Device.

A comment on Trusted Device. If you upgrade iOS devices you need to remember to go into your AppleID and update it at appleid.apple.com. It won’t update itself.

Apple has also what they call two step verification and two factor authentication on icloud/itunes accounts. If you want to be able to unlock a modern mac with your Apple Watch you have to be converted to two factor authentication. We can talk more about that at the end.

Twitter: SMS and OTP. You cannot turn on OTP unless you activate SMS.

Facebook: SMS, OTP and now U2F. If you turn on OTP, or U2F you cannot disable SMS.

Dropbox: SMS, OTP and U2F. You can actually make SMS optional.

We all know about SMS and most of us here know 1Password with OTP support.

Why U2F over OTP?

You have to type/paste a code for OTP. It is possible to have malware on the computer catch both password at login and the OTP and race to get logged in to take control of your account.

U2F does a challenge response directly with the hardware key. Key logger malware cannot intercept that. If you are an at risk person. Activist, Lawyer, member of the press or just paranoid using U2F for your normal login process is the best option. Even on your own machine. The downside is only two browsers support U2F, Chrome and Opera. I tried Brave as it is based on Chrome, and it knows the Yubikey is there but does not properly handle the U2F exchange.

https://www.yubico.com/support/knowledge-base/categories/articles/browsers-support-u2f/ 

The Yubikey

So…. Let’s talk the Yubikey.

First just this morning I ran across a new free handbook on the Yubikey. You can grab it in ebook format for iBooks too. https://ruimarinho.gitbooks.io/yubikey-handbook/content/ 

A Yubikey is a hardware security key used for authentication to various types of systems. This is a very sturdy and securely designed hardware authentication token. There are different models with different features. We will talk in general about the U2F only key and the 4 series in general.

These devices are USB-A keys. Those of you with the new MacBooks with the USB-C connector, a 4C is now released. I looked today and they are out of stock.

A while back they added what is called Universal Two Factor (U2F) support. This is a method of authenticating through a supported web browser to sites that support U2F.

Services the typical mac user might use that supports U2F are Google, Dropbox, and Facebook. Maybe even Github if you code.

The main two Yubikey series that matter are the Fido U2F only key which is way less expensive and the 4 series. The FIDO U2F is $18 USD Amazon Prime.  The standard YubiKey 4 is $40 USD Amazon Prime.  The 4C is listed at $50 USD.

Why the FIDO?

If all you need is extra 2FA for the main services and are willing to use Chrome this is the best choice for you. OTP codes are great and 1Password is awesome but things can go wrong with your phone or access to your 1Password database. Having one of these configured and kept on your keys or locked in a safe deposit box is a great idea. You can use the one key for all the services.

Why the 4 Series?

The 4 series also supports security login card support that Apple added in OS X Sierra called (PIV). Then it additionally supports PGP/SSH keys.

PIV (Personal Identity Verification) Card Support: OS X Sierra

You only have to download Yubico’s PIV manager app from their site and walk through their steps.

https://www.yubico.com/support/knowledge-base/categories/articles/piv-tools/ 

Once you have done that you can use the Yubikey by plugging it in. On OS X Sierra the password prompt will change to a PIN prompt when unlocking your laptop screen saver or from sleep. That has to be numeric and no more than 8 digits. The adversary you are compensating for is someone takes your laptop but not your Yubikey.

If you are an at risk person, change your user password to a nasty complex one. You will have to type it all in at power on to handle your FileVault decryption. Some prompts might also need it. Others that properly use the OS dialogs will let you use the key and PIN.   You are using the Yubikey + PIN to offset having a nasty rare to enter long passphrase.

I would also make sure to encrypt any external storage like a time machine drive you attach regularly. Do NOT use the same passphrase as your login. Use 1Password to make something nasty that you cannot remember. Save it as a secure note in 1Password but let your OS X keychain save the password for the drive. Again this is best where your adversary is someone getting physical possession of your gear but not access to your Yubikey or past your password vault master password.

If you buy one or more from Amazon you might consider a thematically appropriate charity to support or your favorite one.

https://smile.amazon.com

EFF

Hackers for Charity

ACLU

AppleID Two Step vs Two Factor:

Two Step:

https://support.apple.com/en-us/HT204152

Two Factor:

https://support.apple.com/en-us/HT204915 

Trusted devices

A trusted device is an iPhone, iPad, iPod touch with iOS 9 and later, or Mac with OS X El Capitan and later that you've already signed in to using two-factor authentication. It’s a device we know is yours and that can be used to verify your identity by displaying a verification code from Apple when you sign in on a different device or browser.

Trusted phone numbers

A trusted phone number is a number that can be used to receive verification codes by text or phone call. You must verify at least one trusted phone number to enroll in two-factor authentication. You should also consider verifying other phone numbers you can access, such as a home phone, or a number used by a family member or close friend. You can use these numbers if you temporarily can't access your own devices.

Is this different than Apple’s current two-step verification feature?

Yes. Two-factor authentication is a new service built directly into iOS, macOS, tvOS, watchOS, and Apple’s web sites. It uses different methods to trust devices and deliver four-digit verification codes, and offers a more streamlined user experience. Two-factor authentication is required in order to use certain features that require improved security.

The current two-step verification feature will continue to work separately for users who are already enrolled.