[Freak_NL]

If you have public-facing SSH daemons running, adding 2FA seems sensible. Google Authenticator essentially turns another computing device (the smartphone) into an ersatz hardware token. While this does increase security, I don't like the trend of turning the smartphone into a universal second factor.

Alternatively, you could go for a dedicated hardware token such as Yubico's FIDO U2F [1] keys [2]. Hardware tokens that use the fledgling FIDO U2F standard can also be used with PAM and SSH as well [3].

Two U2F keys (one backup) will cost around $40, and can be used with a growing number of webservices, including GitHub, DropBox, and GMail as well. The small form factor means you can put the key on your (physical, real world) keychain.

1: https://fidoalliance.org/specifications/overview/

2: https://www.yubico.com/products/yubikey-hardware/fido-u2f-se...

3: https://developers.yubico.com/pam-u2f/

[nickik]

You can use Yubico OTP as you 2 Factor for SSH. As far as I know you can not use U2F as a 2 Factor over SSH because it needs support from OpenSSH (or whatever). A patch does exist, however, it is not yet upstream (any information on this welcome).

However in the absence of U2F, you can still use Yubico OTP (HOTP) or you can use your yubikey together with your smartphone for TOTP. I think its a bad idea to use your smartphone as a 2Factor. However, if you combine your smartphone with your yubikey (download "Yubikey Authenticator") you can use your smartphone simply as a time provider.

This has the added benefit that if you lose your phone, you can use any other phone/table to do the authentication. Google Authenticator does not support that feature, and Authy Cloud-based solutions are not for everybody.

I use my Yubikey in all 3 different ways. I use Yubykey+Smartphone if I have no other options. Yubykey as U2F were I can (Dropbox, Github, Google) and Yubikey OTP (HOTP) for some services that support that instead of U2F.

Additionally you can use the Yubikey to decrypt your harddrive with HMAC or Static Password.

I really hope OpenSSH (and everybody else) will support U2F soon, its so much better then bothering with the smartphone and typing stuff into your computer.

> https://github.com/Yubico/pam-u2f/issues/12

> https://bugzilla.mindrot.org/show_bug.cgi?id=2319

[aroch]

You can use yubi's PAM modules in conjunction with SSH PAM auth, no need to patch OpenSSH.

https://developers.yubico.com/yubico-pam/

[nickik]

For Yubikey OTP, not U2F.

[beagle3]

How does the yubikey hard drive encryption work?

[nickik]

Well the encryption is just standard luks. You can do it 2 ways (or 3 if you want to be fancy).

The simplest way is just to do a long static password and combine it with your normal password. So you type '1234' and then hit the yubikey button. The problem with this is that temporary access to your yubikey allows somebody to steal your static password.

The better way is to use the Challange-Response mode that send your password, the Yubikey sends back a hash (HMAC-SHA1).

Their is very new way that you can use that uses time based authenication, but this was just presented at 32C3, see: Beyond Anti Evil Maid [32c3]

[snksnk]

Open source alternative to Yubikey (but with some features missing, such as NFC): https://www.nitrokey.com/

[9point6]

Aside from situations where high security is needed (which would necessitate a dedicated piece of hardware to be the 2nd factor), Why are you adverse to using a smartphone as the 2nd factor?

[nickik]

The problem is that often you want to use your smartphone as a client to the same services. This essentially eliminates the second factor.

The problem also is that the smartphone can be hacked and opens a huge attack vector that you don't have with other systems.

Also, typing in stuff by hand is a general bother.

[Freak_NL]

I don't own a smartphone, for one, but I could purchase one if it would benefit me. As it is though, I cannot justify the cost and the increased monthly expenses. But for the sake of argument; if I did own a smartphone, I wouldn't want to turn it into a sort of virtual keychain. I can buy three U2F keys for under €60, and have spares. Smartphones are a single point of failure — unless you are in the habit of collecting spare smartphones.

There is also the matter of control. At the moment there are only a handful of smartphones that run an OS that is not under the control of Apple, Microsoft, or Google (Ubuntu smartphones come to mind as an alternative). On the other hand, on a normal computer I can run a full free software stack. To me this seems odd. If I own a piece of hardware, I want to run an OS and applications I can legally modify and tinker with, especially if I use it as a security device. By using tools such as Google Authenticator I get sucked into this walled garden.

The behaviour of hardware tokens such as Yubico's U2F keys on the other hand is completely verifiable — mostly because they are quite simple compared to a smartphone.

(Aside from these personal views on software, I do have high security requirements as well for some services, where a dedicated hardware token is preferable, as you point out.)

[superuser2]

Hardware tokens are general purpose computers that have been locked down to the vendor's walled gardens. Yubikey is a JavaCard (in USB stick form factor) running some closed-source applets. There is a key that would allow you to load your own applets onto it but Yubico won't tell you what it is.

From a software freedom perspective, hardware tokens/smart cards are no better than smartphones.

[Freak_NL]

There is a crucial difference here. With FIDO U2F I am not limited to Yubico's offerings; there are other vendors. FIDO U2F devices can be manufactured by any company (and are).

I agree that the ideal situation would be a device that is completely under the control of the user, but compared to IOS or Android, a hardware token that only does what it is supposed to do (in the case of the U2F tokens; register and sign authentication requests), and cannot be modified by the manufacturer after sale is very much preferable.

[superuser2]

That's not a difference. You are also free to choose among many different smartphone manufacturers and OSes, all of which are capable of running a TOTP app.

[stuff4ben]

I had the same question as you and the only thing I could think of was that our phones can be hacked too. It's a publicly facing device as well and has multiple vectors for attack vs. a standard dedicated 2F auth device.