Greg Wolanski

Yubi‐co‐key, my designer

How to design software that uses security keys

The value of emails, domains, passwords, and the accounts associated with those passwords is ever increasing. But with greater value comes greater risk (of loss). SMS codes make account takeovers more difficult, but they don’t prevent them entirely. In the coming years, we can expect the popularization of more effective security measures. One such security measure is security keys.

Security keys are authentication devices that require physical contact and cannot be remotely hacked.

I wanted to learn how to design software that uses security keys. I couldn’t easily find any good resources on the subject, so I decided to order some security keys and research the topic myself.

Research notes

  • Security keys are not popular (April 2022)

  • You can see a list of services that support security keys on the Yubico website (this list is not complete; Tutanota is missing)

  • It’s good practice to use a minimum of two security keys

  • Security keys require the physical push of a button at login

  • Security keys only require interaction at login; if the session doesn’t expire (i.e., if you check “Remember me” or do something similar), you can access the service on the same device without touching the security key again until you clear the cookies

  • If you’re using security keys, it’s good practice to disable SMS code authentication; SMS codes are less secure than hardware security keys, and if you leave them enabled as an authentication option, they can be used by hackers to bypass your security keys

  • Security keys can be used with phones and tablets using NFC, USB-A, USB-C, and Lightning ports

  • It’s common practice for people to name their keys

  • Security key implementation can differ in the order that the key name and the key touch are requested

  • The implementation of security keys varies with the presence or absence of an application transition state in anticipation of a key touch; sometimes implementation relies solely on the browser interface, while some applications support such a transition state in their interface as well

  • Some applications don’t mention security key support anywhere until you activate 2FA without a security key; it’s worth not repeating this mistake

  • For services that support 2FA but don’t support hardware authentication keys, a smart solution is to use Authenticator from Yubico (iOS, Android), which requires a key at the mobile app level; this may be a cheaper way to implement security key support in your project

  • Enabling security keys brought to my attention the presence of recovery codes in applications; worth considering

  • Some service providers (Basecamp, GitHub, Twitter) email people when a security key has been assigned to their account; consider this in your project

  • In most applications, security keys are the second factor of authentication, and so—unlike the Apple Watch—you can’t unlock 1Password with them

  • iPad requires YubiKey 5Ci

Screenshots

1Password, Basecamp, Fastmail, Gandi, GitHub, Tutanota, Twitter

1Password

Yubico + 1Password: My Profile Yubico + 1Password: Two–Factor Authentication: Off Yubico + 1Password: Two–Factor Authentication: Set Up Authenticator App: Install an authenticator app Yubico + 1Password: Two–Factor Authentication: Set Up Authenticator App: Enter the 6–digit authentication code Yubico + 1Password: Two–Factor Authentication: Set Up Authenticator App: Your authenticator app was successfully registered Yubico + 1Password: Two–Factor Authentication: On Yubico + 1Password: Two–Factor Authentication: New Authenticator App Yubico + 1Password: Two–Factor Authentication with security key support Yubico + 1Password: Two–Factor Authentication: Add a Security Key: Enter a name for the key Yubico + 1Password: Two–Factor Authentication: Add a Security Key: Plug in your security key and activate it now Yubico + 1Password: Two–Factor Authentication: Add a Security Key: Your security key was successfully registered Yubico + 1Password: Two–Factor Authentication with security keys

Basecamp

Yubico + Basecamp: My profile Yubico + Basecamp: Login Yubico + Basecamp: Two–factor Authentication Yubico + Basecamp: 2FA Setup Step 1 Yubico + Basecamp: 2FA Setup Step 2 Yubico + Basecamp: 2FA Setup Step 3 Yubico + Basecamp: Login with two-factor authentication enabled Yubico + Basecamp: Security keys Yubico + Basecamp: Security keys: Add a security key Yubico + Basecamp: Security keys: Add a security key: Spinner Yubico + Basecamp: Security keys: Add a security key: Please give this security key a nickname Yubico + Basecamp: Security keys: Your new security key was added successfully Yubico + Basecamp: Security keys Yubico + Basecamp: Login: Activate your security key to continue Yubico + Basecamp: Login: Activate your security key to continue: Spinner

Fastmail

Yubico + Fastmail: Settings: Password & Security Yubico + Fastmail: Settings: Password & Security: Two–Step Verification: Please enter your password Yubico + Fastmail: Settings: Password & Security: Two–Step Verification Yubico + Fastmail: Settings: Password & Security: Two–Step Verification: Add Verification Device Yubico + Fastmail: Settings: Password & Security: Two–Step Verification: Add Verification Device: Insert your security key into the computer Yubico + Fastmail: Settings: Password & Security: Two–Step Verification: Add Verification Device: Give this security key a name Yubico + Fastmail: Settings: Password & Security: Two–Step Verification with a security key Yubico + Fastmail: Settings: Password & Security: Two–Step Verification with security keys Yubico + Fastmail: Log in Yubico + Fastmail: Log in: Two–step verification Yubico + Fastmail: Log in: Two–step verification: Waiting for device

Gandi

Yubico + Gandi: User Settings Yubico + Gandi: Account settings Yubico + Gandi: Account settings: Security Yubico + Gandi: Account settings: Security key management Yubico + Gandi: Account settings: Register your security key: New token name Yubico + Gandi: Account settings: Security key registered successfully! Yubico + Gandi: Account settings: Security with 1 security key connected Yubico + Gandi: Account settings: Security key management with 1 security key connected Yubico + Gandi: Account settings: Security key management with 5 security keys connected Yubico + Gandi: Log in Yubico + Gandi: Log in: Identity verification

GitHub

Yubico + GitHub: Profile Yubico + GitHub: Profile: Two–factor authentication Yubico + GitHub: Profile: Two–factor authentication: Confirm access Yubico + GitHub: Profile: Two–factor authentication: Enabled Yubico + GitHub: Profile: Two–factor authentication: Two–factor recovery codes Yubico + GitHub: Profile: Two–factor authentication: Enabled Yubico + GitHub: Profile: Two–factor authentication: Register new security key Yubico + GitHub: Profile: Two–factor authentication with 1 security key Yubico + GitHub: Profile: Two–factor authentication with 5 security keys Yubico + GitHub: Sign in Yubico + GitHub: Sign in: Use security key

Tutanota

Yubico + Tutanota: User settings: Login Yubico + Tutanota: User settings: Login: Second factor authentication: Add Yubico + Tutanota: User settings: Login: Second factor authentication: Connect your security key Yubico + Tutanota: User settings: Login: Second factor authentication: Please take a minute to write down your recovery code Yubico + Tutanota: User settings: Login: Second factor authentication: Password Yubico + Tutanota: User settings: Login: Second factor authentication: Recovery code Yubico + Tutanota: User settings: Login: Second factor authentication with 1 security key Yubico + Tutanota: User settings: Login: Second factor authentication with 6 security keys

Twitter

Yubico + Twitter: Settings Yubico + Twitter: Settings: Security and account access Yubico + Twitter: Settings: Security and account access: Security Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication: On Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication: Enter your password Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication: Security key Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication: Security key found Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication: Save this single-use backup code Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication with 1 security key Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication: Manage security keys with 1 security key Yubico + Twitter: Settings: Security and account access: Security: Two-factor authentication: Manage security keys with 6 security keys

Follow me on Twitter

April 2022