Two-factor authentication (2FA) basically means you use some other information in addition to your password.
Summary for Google Account (Gmail) with YubiKey (on Mac)
- You must use Google Chrome browser to register the key. You cannot register using e.g. Firefox.
- Once registered, you can then login with the key in Firefox (Firefox Quantum version 60+) if you have security.webauth.u2f set to true in about:config (it is false by default). U2F is the setting to enable Universal 2nd Factor (U2F) for the security key.
- You cannot use the key for authentication with the Apple iPhone/iPad Mail app.
Details
1. Background
2FA provides an extra level of security over just a password. Passwords have lots of flaws, including the fact that numerous websites have had their username+email+password combinations hacked, with millions of such credentials now available to be searched online. Also, passwords can be guessed or bypassed using various password recovery and reset mechanisms including the (terrible) recovery questions ("What was your favourite XYZ") approach. And passwords can be stolen through targeted attacks such as email phishing (a common way to steal a password).
As password reset is typically done by email, your email account should have very strong security including a strong password; typically your email account provides the key to unlocking all your other accounts.
Email such as Gmail can be secured with 2FA. Typically this is with a text message code sent to your phone, but text messages (or automated voice calls) have a major security flaw in that your phone number can be hijacked through something called SIM hijacking (basically a hacker redirects your phone number to a phone they control). Plus which this method means giving the service your phone number, which is undesirable for lots of reasons, including most notoriously Facebook took phone numbers provided for 2FA and used them for targeted advertising.
A much better option than text message 2FA is an app on your phone such as Google Authenticator, but even better than that is a hardware token, a USB security key.
The two main options are the YubiKey from Yubico and the Google Titan Security Key, but the Titan Security Key isn't available in Canada.
You can go down quite a rabbit hole of chain-of-custody and trust if you spend much time worrying about what a secure source is for the key. Basically from Canada unless you're a high-risk target just go to the Yubico website and order a key (probably two keys actually, so you have a backup one) and they will ship it USPS with "Get started with your YubiKey" in big green letters on the outside and that's fine. If you want to be extra careful you can always check the Yubico web certificate, for all the small degree of additional assurance that may give you.
https://www.yubico.com/
(If you are a journalist, activist or other high-risk target you should be looking at Google's Advanced Protection Program and seeking advice from experts.)
2. YubiKey setup for Google Accounts (Gmail)
Understand what you're signing up for: activating this means the first time you login to any of your Google Account services on a different computer, you will need to have your security key. (This is the whole point of 2FA security: to prevent someone who is unauthorized from logging into your account on another computer.)
Once you have your YubiKey, you set it up by logging into your Google Account using Google Chrome browser
https://myaccount.google.com/
and going to
Sign-in and security - Signing in to Google - Password & sign-in method - 2-Step Verification
(If you are already in Gmail, you can get to your Google Account by clicking your user icon in the upper right and then clicking on the Google Account box in the popup.)
- Under Protect your account with 2-Step Verification click Get Started.
- Under Let's set up your phone, at the bottom where it says Don't want to use text message or voice call? click "Choose another option" and then click "Security Key"
- It will prompt you when to insert your key and when to e.g. press the circle on the key.
- You might want to name your key, if you have multiple keys. Note that there is a bug - even if you name your first key, it will still say "Security Key". You will have to manually edit the name of the first key after it is registered.
That's basically it for the key. You will also want to get a list of numeric security codes (Backup Codes) for account access if e.g. you lose your key. This list will also turn out to be useful if app passwords don't work. Depending on your threat assessment you might want to keep the list on your computer (Google will offer to save it to a plain text file) and/or print it and/or write it down in a notebook. Just make sure whatever you do the list of numeric codes is secure.
(If you do save the list of codes on your computer and later decide to erase it, about the closest you can get to an erase is rm -P filename.txt in Terminal, which will overwrite the file. As with all use of file removal commands in Terminal, make sure you are only removing the intended file. But given modern computers it may linger in e.g. Time Machine backups and local search indexes anyway. In any case if your computer is compromised you will probably have bigger problems than stolen Google numeric codes.)
You can use the same key(s) as two-factor authentication for more than one Google Account; you just have to separately register the keys in each account.
As a reminder, you no longer have to provide Google with a phone number. You can just skip down to Security Key for 2FA.
Browsers other than Google Chrome will not work for registering your YubiKey.
For more information see:
3. YubiKey login for Gmail on desktop
You can login using your YubiKey with Firefox (Quantum, version 60+), but you must first set a configuration item. Using about:config, search for
security.webauth.u2f
and set it (e.g. by double-clicking on it) to true
(You can read this thread for some of the messy details about U2F and Google and Firefox.)
Once you've set the config, and restarted Firefox, you can login to e.g. Gmail. You'll enter your password and then you'll get a prompt to use the key. By default it's set to remember your "computer", although you can uncheck this.
You will get a rather disconcerting popup that appears attached up to the URL bar, that you can only cancel. Basically all you can do is ignore it and continue what you're doing. I don't actually know where in Firefox you could go to disable the option to always trust your computer if that's what you selected on first login.
(It is not actually really trust this computer, it's something more like trust this user account or maybe trust this profile in this browser in this user account on this computer. If you e.g. login to your Gmail in a different user account on the same computer, it will prompt you for the key again.)
You'll need to login using your key on every computer where you access Google Account services including Gmail. This means you pretty much need to carry your key around with you on a keyring at least for initial setup if you use remote computers. Also there may be problems logging in using a work computer, depending on how the administrator has configured your computer and what browsers and browser preferences it has.
4. No YubiKey for Apple iOS Mail on iPhone/iPad
Once you set up 2FA, you will be logged out of your Gmail on Apple Mail on your mobile device(s).
But to quote Google:
Note: Currently, iPhone apps like Mail and Calendar only work with security keys used as part of the Advanced Protection program.
(It's not a technology restriction as long as you got a key that can do NFC or Bluetooth or otherwise can connect to your mobile device.)
For Apple iOS Mail you're supposed to set up an App password, in your Google Account under Sign-in and security - Signing in to Google - Password & sign-in method - App passwords (e.g. select Mail - iPhone) but for the life of me, I couldn't get it to work. I don't know if you're supposed to enter it as a one-time password (which is what the screen text seems to indicate) and then enter your regular password, or whether it's a bug, but no matter how many times I entered the App password it was always rejected.
I ended up being prompted by Google to use one of my one-time numeric codes, and then Mail worked fine again. Which is a reminder to make sure you have your list of one time numeric codes handy.
(I don't use the Gmail app so I haven't tested it with the key.)
5. Conclusion
Pretty much any two factor authentication is better than none. As a "thing you have" the key provides a strong level of physical security in an online world (it's hard for a remote hacker to duplicate the authentication provided without having the key itself), but you may find other options more convenient until more software supports the use of hardware keys for 2FA.
You can find additional information about 2FA in the Citizen Lab Security Planner: 2-Factor Authentication.
Recent Comments