Yubi‐co‐key, my designer

How to design software that uses security keys

The value of emails, domains, passwords, and the accounts associated with those passwords is ever increasing. But with greater value comes greater risk (of loss). SMS codes make account takeovers more difficult, but they don’t prevent them entirely. In the coming years, we can expect the popularization of more effective security measures. One such security measure is security keys.

Security keys are authentication devices that require physical contact and cannot be remotely hacked.

I wanted to learn how to design software that uses security keys. I couldn’t easily find any good resources on the subject, so I decided to order some security keys and research the topic myself.

Research notes

Security keys are not popular (April 2022)
You can see a list of services that support security keys on the Yubico website (this list is not complete; Tutanota is missing)
It’s good practice to use a minimum of two security keys
Security keys require the physical push of a button at login
Security keys only require interaction at login; if the session doesn’t expire (i.e., if you check “Remember me” or do something similar), you can access the service on the same device without touching the security key again until you clear the cookies
If you’re using security keys, it’s good practice to disable SMS code authentication; SMS codes are less secure than hardware security keys, and if you leave them enabled as an authentication option, they can be used by hackers to bypass your security keys
Security keys can be used with phones and tablets using NFC, USB-A, USB-C, and Lightning ports
It’s common practice for people to name their keys
Security key implementation can differ in the order that the key name and the key touch are requested
The implementation of security keys varies with the presence or absence of an application transition state in anticipation of a key touch; sometimes implementation relies solely on the browser interface, while some applications support such a transition state in their interface as well
Some applications don’t mention security key support anywhere until you activate 2FA without a security key; it’s worth not repeating this mistake
For services that support 2FA but don’t support hardware authentication keys, a smart solution is to use Authenticator from Yubico (iOS, Android), which requires a key at the mobile app level; this may be a cheaper way to implement security key support in your project
Enabling security keys brought to my attention the presence of recovery codes in applications; worth considering
Some service providers (Basecamp, GitHub, Twitter) email people when a security key has been assigned to their account; consider this in your project
In most applications, security keys are the second factor of authentication, and so—unlike the Apple Watch—you can’t unlock 1Password with them
iPad requires YubiKey 5Ci

Screenshots

1Password, Basecamp, Fastmail, Gandi, GitHub, Tutanota, Twitter

1Password

Yubico + 1Password: Two–Factor Authentication: Set Up Authenticator App: Install an authenticator app

Yubico + 1Password: Two–Factor Authentication: Set Up Authenticator App: Enter the 6–digit authentication code

Yubico + 1Password: Two–Factor Authentication: Set Up Authenticator App: Your authenticator app was successfully registered

Yubico + 1Password: Two–Factor Authentication: On

Yubico + 1Password: Two–Factor Authentication: New Authenticator App

Yubico + 1Password: Two–Factor Authentication with security key support

Yubico + 1Password: Two–Factor Authentication: Add a Security Key: Enter a name for the key

Yubico + 1Password: Two–Factor Authentication: Add a Security Key: Plug in your security key and activate it now

Yubico + 1Password: Two–Factor Authentication: Add a Security Key: Your security key was successfully registered

Yubico + 1Password: Two–Factor Authentication with security keys

Basecamp

Yubico + Basecamp: Two–factor Authentication

Yubico + Basecamp: Login with two-factor authentication enabled

Yubico + Basecamp: Security keys: Add a security key

Yubico + Basecamp: Security keys: Add a security key: Spinner

Yubico + Basecamp: Security keys: Add a security key: Please give this security key a nickname

Yubico + Basecamp: Security keys: Your new security key was added successfully

Yubico + Basecamp: Login: Activate your security key to continue

Yubico + Basecamp: Login: Activate your security key to continue: Spinner

Fastmail

Yubico + Fastmail: Settings: Password & Security: Two–Step Verification

Yubico + Fastmail: Settings: Password & Security: Two–Step Verification: Add Verification Device

Yubico + Fastmail: Settings: Password & Security: Two–Step Verification: Add Verification Device: Insert your security key into the computer

Yubico + Fastmail: Settings: Password & Security: Two–Step Verification: Add Verification Device: Give this security key a name

Yubico + Fastmail: Settings: Password & Security: Two–Step Verification with a security key

Yubico + Fastmail: Settings: Password & Security: Two–Step Verification with security keys

Yubico + Fastmail: Log in: Two–step verification

Yubico + Fastmail: Log in: Two–step verification: Waiting for device

Gandi

Yubico + Gandi: Account settings: Security

Yubico + Gandi: Account settings: Security key management

Yubico + Gandi: Account settings: Register your security key: New token name

Yubico + Gandi: Account settings: Security key registered successfully!

Yubico + Gandi: Account settings: Security with 1 security key connected

Yubico + Gandi: Account settings: Security key management with 1 security key connected

Yubico + Gandi: Account settings: Security key management with 5 security keys connected

Yubico + Gandi: Log in: Identity verification

GitHub

Yubico + GitHub: Sign in: Use security key

Tutanota

Yubico + Tutanota: User settings: Login: Second factor authentication: Connect your security key

Yubico + Tutanota: User settings: Login: Second factor authentication: Please take a minute to write down your recovery code

Yubico + Tutanota: User settings: Login: Second factor authentication: Password

Yubico + Tutanota: User settings: Login: Second factor authentication: Recovery code

Yubico + Tutanota: User settings: Login: Second factor authentication with 1 security key

Yubico + Tutanota: User settings: Login: Second factor authentication with 6 security keys

Twitter

Yubico + Twitter: Settings: Security and account access: Security

Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication: On

Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication: Enter your password

Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication: Security key

Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication: Security key found

Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication: Save this single-use backup code

Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication with 1 security key

Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication: Manage security keys with 1 security key

Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication: Manage security keys with 6 security keys

Follow me on Twitter

April 2022