Multi Factor Authentication:

We are going to specifically talk about “2FA” and skip the biometrics like TouchID. We don’t all have the new MacBooks with the touch bar.

Main Types of 2FA:

SMS: This sucks. If your phone number can be hijacked even briefly, they can gain control over your accounts. I really HATE Twitter and Facebook for NOT letting you kill SMS even if you enable stronger 2FA methods.

OTP (One Time Password): What we have been used to. Google Authentication, Facebook App, Duo Security, and 1Password.

Side Notes:

• If you have OTP in 1password sync’d to your Apple Watch you get the OTP code and cannot see the login password.
• If you admin a Duo Security 2FA account you can actually use Yubikey’s with it. Great for a backup for your admin account locked in a safe deposit box should your phone get lost.

• https://duo.com/docs/yubikey
• Example I use Duo with my WordPress blog. So I can either push 2FA via Duo or fall back to my physical Yubikey.

U2F (Universal Two Factor): Hardware key. Yubikey, some third party tokens, and if you are into bitcoin a couple of hardware wallets provide U2F compatibility.

https://www.yubico.com/2016/02/otp-vs-u2f-strong-to-stronger/ 

Two factor and common Mac User Services

Apple: SMS and Trusted Device.

A comment on Trusted Device. If you upgrade iOS devices you need to remember to go into your AppleID and update it at appleid.apple.com. It won’t update itself.

Apple has also what they call two step verification and two factor authentication on icloud/itunes accounts. If you want to be able to unlock a modern mac with your Apple Watch you have to be converted to two factor authentication. We can talk more about that at the end.

Twitter: SMS and OTP. You cannot turn on OTP unless you activate SMS.

Facebook: SMS, OTP and now U2F. If you turn on OTP, or U2F you cannot disable SMS.

Dropbox: SMS, OTP and U2F. You can actually make SMS optional.

We all know about SMS and most of us here know 1Password with OTP support.

Why U2F over OTP?

You have to type/paste a code for OTP. It is possible to have malware on the computer catch both password at login and the OTP and race to get logged in to take control of your account.

U2F does a challenge response directly with the hardware key. Key logger malware cannot intercept that. If you are an at risk person. Activist, Lawyer, member of the press or just paranoid using U2F for your normal login process is the best option. Even on your own machine. The downside is only two browsers support U2F, Chrome and Opera. I tried Brave as it is based on Chrome, and it knows the Yubikey is there but does not properly handle the U2F exchange.

https://www.yubico.com/support/knowledge-base/categories/articles/browsers-support-u2f/ 

The Yubikey

So…. Let’s talk the Yubikey.

First just this morning I ran across a new free handbook on the Yubikey. You can grab it in ebook format for iBooks too. https://ruimarinho.gitbooks.io/yubikey-handbook/content/ 

A Yubikey is a hardware security key used for authentication to various types of systems. This is a very sturdy and securely designed hardware authentication token. There are different models with different features. We will talk in general about the U2F only key and the 4 series in general.

These devices are USB-A keys. Those of you with the new MacBooks with the USB-C connector, a 4C is now released. I looked today and they are out of stock.

A while back they added what is called Universal Two Factor (U2F) support. This is a method of authenticating through a supported web browser to sites that support U2F.

Services the typical mac user might use that supports U2F are Google, Dropbox, and Facebook. Maybe even Github if you code.

The main two Yubikey series that matter are the Fido U2F only key which is way less expensive and the 4 series. The FIDO U2F is $18 USD Amazon Prime.  The standard YubiKey 4 is $40 USD Amazon Prime.  The 4C is listed at $50 USD.

Why the FIDO?

If all you need is extra 2FA for the main services and are willing to use Chrome this is the best choice for you. OTP codes are great and 1Password is awesome but things can go wrong with your phone or access to your 1Password database. Having one of these configured and kept on your keys or locked in a safe deposit box is a great idea. You can use the one key for all the services.

Why the 4 Series?

The 4 series also supports security login card support that Apple added in OS X Sierra called (PIV). Then it additionally supports PGP/SSH keys.

PIV (Personal Identity Verification) Card Support: OS X Sierra

You only have to download Yubico’s PIV manager app from their site and walk through their steps.

https://www.yubico.com/support/knowledge-base/categories/articles/piv-tools/ 

Once you have done that you can use the Yubikey by plugging it in. On OS X Sierra the password prompt will change to a PIN prompt when unlocking your laptop screen saver or from sleep. That has to be numeric and no more than 8 digits. The adversary you are compensating for is someone takes your laptop but not your Yubikey.

If you are an at risk person, change your user password to a nasty complex one. You will have to type it all in at power on to handle your FileVault decryption. Some prompts might also need it. Others that properly use the OS dialogs will let you use the key and PIN.   You are using the Yubikey + PIN to offset having a nasty rare to enter long passphrase.

I would also make sure to encrypt any external storage like a time machine drive you attach regularly. Do NOT use the same passphrase as your login. Use 1Password to make something nasty that you cannot remember. Save it as a secure note in 1Password but let your OS X keychain save the password for the drive. Again this is best where your adversary is someone getting physical possession of your gear but not access to your Yubikey or past your password vault master password.

If you buy one or more from Amazon you might consider a thematically appropriate charity to support or your favorite one.

https://smile.amazon.com

EFF

Hackers for Charity

ACLU

AppleID Two Step vs Two Factor:

• What is the two step:

• Typically you will be receiving this via SMS. You MUST provide a phone number as a minimum.
• Trusted devices (signed in to icloud) can receive it via an OS popup through the Find my iPhone service.
• This is a four digit code.
• Only option for iOS pre v9 or OSX earlier than El Capitan.

• What is the two factor

• Has to be an iOS/OSX Device. So if you are securing your AppleID but don’t have one of these devices with a reasonably current OS version then stick with two step and SMS.
• This is nice because on all your trusted devices you get an alert about the attempt that includes a map of the location.
• The code you receive via the popup is 6 digits.
• This is the option you have to have enabled to support OSX Unlock via Apple Watch.

• Process for changing over:

• Edit your security section once logged into appleid.apple.com
• Click to the right of Two-Step Verification and click Turn Off Two-Step Verification
• It will force you to set security questions. I would make those answers up and save them in 1Password.
• Once you have it off you can turn Two Factor on instead and just walk through the prompts.

• Problems changing over:

• I ran into weirdness where I could not get it to take on my iPhone but my laptop worked fine when I changed over to Two Factor. I had to remove it completely and add it back again.
• I recommend doing it first from OSX since I had some issues trying to switch screens on iOS to fetch my nasty appleid password from 1Password and flip to the authentication popups during setup.
• I  have different iTunes and iCloud accounts. I want all my devices signed in via iCloud not iTunes for sync etc. So I leave two step on for iTunes and use two factor for iCloud.

Two Step:

https://support.apple.com/en-us/HT204152

Two Factor:

https://support.apple.com/en-us/HT204915 

Trusted devices

A trusted device is an iPhone, iPad, iPod touch with iOS 9 and later, or Mac with OS X El Capitan and later that you've already signed in to using two-factor authentication. It’s a device we know is yours and that can be used to verify your identity by displaying a verification code from Apple when you sign in on a different device or browser.

Trusted phone numbers

A trusted phone number is a number that can be used to receive verification codes by text or phone call. You must verify at least one trusted phone number to enroll in two-factor authentication. You should also consider verifying other phone numbers you can access, such as a home phone, or a number used by a family member or close friend. You can use these numbers if you temporarily can't access your own devices.

Is this different than Apple’s current two-step verification feature?

Yes. Two-factor authentication is a new service built directly into iOS, macOS, tvOS, watchOS, and Apple’s web sites. It uses different methods to trust devices and deliver four-digit verification codes, and offers a more streamlined user experience. Two-factor authentication is required in order to use certain features that require improved security.

The current two-step verification feature will continue to work separately for users who are already enrolled.