Yubikey and LastPass, are a pair of services that I use for storing my passwords and personal data. The Yubikey functions as an authentication token for the LastPass login, and is used to decrypt the password vault.
In theory, I should consider a service where the passwords aren’t stored on their cloud, even in an encrypted format. However, I like LastPass, and I like their software. I like that their password validator seems to actually give accurate ratings to the various passwords in the vault during their security check function. Some sites will fail simple passwords that actually are very hard to crack, simply because they don’t fit a scheme. The fact that the tool also monitors for duplicate passwords and sites whose passwords have been compromised; and then request that you change those, also really handy.
The Yubikey is a little plastic dongle that plugs into your USB drive and acts as USB keyboard, typing out a One Time Password (OTP) as if you’d typed it into the keyboard directly. The chip on the Yubikey is set up to do a few fancy things to ensure that the password is hard to spoof.
There are some potential problems with any password scheme, especially the sort where there is a single point of failure. Using the Yubikey to generate the OTP for the LastPass in theory, makes it much more secure, since in order to access your Password Vault, they require both the digital key and the physical key. So, that’s what I had been using for my personal passwords for the last year, but I hadn’t been able to convince too many other people to switch over, until recently.
When I first got my Chromebook, I was slightly annoyed that there wasn’t a way to use the Yubikey to log into it. Then, by accident, the other day, I found out how to manage that. The Yubikey configuration tool has the ability to set up what is stored in the two slots on the Yubikey. In the main slot, is the OTP, for doing the main login. In the second slot, a variety of different configurations could be set up. The only option that made sense for my purposes is the Static Keystring.
By storing a preset keystring of up to 38 characters that will be typed in whenever I activate the second slot on the key, I have a password that I can use to log into offline devices. The activation of the secondary slot is simply holding down the button on the yubikey, rather than tapping it. I can use this preset key to log into a secondary gmail account, which logs me into the chromebook. Once inside that gmail account, I can log into the lastpass browser plugin, verifying with slot 1 on the yubikey, and open up my gmail account. This whole sequence can be done fairly quickly, especially if the lastpass browser plugin has been told to save the master password, so the login sequence becomes essentially boot computer, long press on the key, wait for the screen for the Yubikey OTP, short press, and you’re logged in. That system, as long as you aren’t worried about losing the key, is actually pretty secure. It does have a few obvious flaws.
Though, with a few minor alterations, can be made considerably more secure.
The first main flaw, is that with the key and the knowledge, anyone can get in. Convenience has compromised the security. The single press a button bypasses the first login, and the second login is saved, the third login is just another button press.
So, what’s the easy way to fix that? Pad the static keystring. Have a few characters that need to be typed in manually, before you press the button. That means even with the key, they’ll still need to guess that initial password, before it’ll let them in.
This actually also helps with the second flaw, which is that since the static keystring is static and emitted whenever the button is pressed to activate that slot, it’s easy to steal. That’s why I’m not using it on my main gmail, but on a secondary gmail that really only exists so that it grabs a copy of the LastPass browser plugin from the chrome store when I log on.
Beyond that, I’m sure there are plenty of other flaws, but these are the ones I’ve discovered so far. And since my google account has other forms of verification on it, specifically the whole two-factor authentication whenever you log in from a new device, I’m not currently concerned.
I know someone could compromise my security, if they had reason to, but for the moment, I doubt there are any with the skills, malicious intent, and motivation. I am sure there are some with two of the three, but I can’t think of anyone with all three; most would only have but one.