Yubikey’d Google Authenticator

I’ve been using Google Authenticator for over a year now. I used it for 2FA with just my Google Account (initially), then Dropbox, Amazon Web Services, and finally, SSH access to my servers. I must admit, I was feeling somewhat pleased that I actually have some resistance against keyloggers and shoulder surfers. Then my boss, when I was showing him the app, simply said, “well, but your phone is quite hackable.”

And unfortunately, he’s right – smartphones are common enough that malware and trojans for mobile devices are no longer a remote possibility. I could try to secure my phone, but it’s hard to be sure that a complex device with a smartphone is fully secure. My guess is, it’ll only be a matter of time before malware exists that harvests the secrets stored by applications like Google Authenticator, assuming they don’t exist already!

So, in February, I purchased two Yubikeys: one Yubikey Standard, and one Yubikey NEO. Yubikeys are 2FA tokens. Usually, you plug them in, they appear as a HID, you press the button, and it “types” a one-time password. They have a few modes of operation – they support static passwords, HMAC-SHA1 challenge-response, HOTP, and their own Yubikey OTP protocol. Yubikey OTPs need to be validated by a server, but Yubico does provide authentication servers for free. That said, I went ahead and ran my own authentication and validation servers. It takes a bit of effort, but it isn’t too difficult to set up.

The problem was, how do I migrate my existing Google Authenticator tokens so that I no longer have to rely on my phone being “clean”? Google Authenticator uses TOTP (the timestamp based version of HOTP) but the Yubikeys have no internal RTC and battery, so it’s not possible for them to generate TOTPs directly. You can use HMAC-SHA1 challenge-response together with a phone (over NFC) or a PC (over USB) to get the same functionally, but – there are only two memory slots on each Yubikey, so you can’t store more than two TOTP tokens per key.

My solution was to implement TOTP in a PHP application, and have that application verify a Yubikey OTP before generating and displaying TOTP codes. You can find the app I wrote here:

https://github.com/tan-ce/php-yubikey-oath

Note that in this scheme, it’s still arguably less secure than using the Yubikey on its own, but you do get to use a practically unlimited amount of TOTP tokens. And I would argue that it’s much easier to secure a server then it is to secure a smartphone.

5 thoughts on “Yubikey’d Google Authenticator

  1. Curious

    Hi,

    I’m rather new to double authentification/Yubikey/GAuth/(x)otp, so I’m not even sure about what’s your application does : Is it giving the same authentication’s token than usual google authenticator apps, but only if we use our yubikey ?

    If someone break into the server, what the worst could happen ?

    Reply
    1. tan-ce Post author

      This PHP app does the exact same thing as the Google Authenticator. Since it runs on a web server, where anyone can access, it will ask for a Yubikey One Time Password before showing you the codes.

      The reason I made this is to have more choice with regards to 2 factor authentication. So now, my choices are:

      (a) Use the Google Authenticator App. Pros: Easy to use; Cons: Depends on the security of your phone, be it physical security (eg. theft) or virtual (eg. malware)

      (b) Use the Yubikey natively. Pros: Only depends on the security of the Yubikey; Cons: Still needs the phone, and the Yubikey can only store codes for two accounts.

      (c) Use my PHP App. Pros: Can store codes for as many accounts as you want and depends on the security of the Yubikey. Cons: Also depends on the security of the server.

      I didn’t want to do (b) because I have more than two accounts with 2FA. Between (a) and (c), the difference is between whether you can depend on the security of a server or phone more. I decided that it’s easier to secure a server, especially if it does nothing but serve Yubikey authentication.

      For your second question, the answer is, “the same as if someone broke into your phone.” – they will have access to secrets used to generate the codes.

      I hope this clarifies. Let me know if I didn’t clear everything up.

      Reply
  2. Curious

    Thanks !

    Your response make it cristal clear (and I also play more with google authenticator since my question), the main weakness with google authenticator seems to be the protection of the secret key, maybe we could add a little security by encrypting and decrypting it with a password given by the user, and finding a way to alert the user if someone change the server code (to store or send the decrypted password for example)

    Reply
    1. tan-ce Post author

      Your referring to the app on the phone? I suppose that can be done, but it is less convenient – requiring two passwords. It’s hard to choose a good password that is memorable and has good entropy.

      Reply
  3. www.dibts.com

    You are so interesting! I don’t think I have read a
    single thing like that before. So great to find another person with
    a few unique thoughts on this issue. Seriously.. thank you for starting
    this up. This site is something that is required on the web, someone with a little originality!

    Reply

Leave a Reply to Curious Cancel reply

Your email address will not be published. Required fields are marked *