Lost YubiKey Best Practices

We hope that you will not lose your YubiKey, but for larger deployments and serious use, establishing processes around lost YubiKeys is an important and challenging aspect. Yubico has offered the YubiRevoke service to help with this aspect, which is a centralized way to disable YubiKeys validated through the YubiCloud. Initially we thought this was a natural part of a YubiCloud service. The more we have worked with customers to establish and recommend practices around use and deployment of YubiKeys, though, we have come to reconsider this recommendation. We have realized that a centralized service for revoking a YubiKey often leads to deployments that are ineffective to use for administrators, and it introduces a new set of security considerations for deployments.

For systems that use YubiKeys validated through the YubiCloud, the standard pattern is to setup a service that performs authentication using username, usually a password, and a Yubico OTP. These systems usually have an administrative interface, of varying level of sophistication, for managing users. Technically the system performs authentication by validating the username and password, and then validates the Yubico OTP against the YubiCloud to achieve two-factor authentication. For example, the system may be as simple as a WordPress blog with the YubiKey plugin, or Unix (typically Mac or GNU/Linux) login using the PAM module. The WordPress system has its user management interface, and Unix has its own user management and configuration interface. When a YubiKey is lost, to regain access to the system, the administrator has to provide a mechanism for users to associate a new YubiKey, or at least temporarily disable two-factor authentication. When YubiRevoke is used, customers sometimes end up implementing procedures for administrators to disable the YubiKey in both systems, which is inefficient.

A centralized revocation system for YubiKeys also introduces security considerations for deployments. Our revocation system depends on good authentication, and with access to an admin account, you can disable a YubiKey immediately. For larger deployments, having an attacker gain access to the administrator password/OTP could lead to situations which are difficult to recover from — consider for example if the attacker (maybe a disgruntled employee) changes the YubiRevoke password and disables all your YubiKeys. Implementing proper social recovery mechanisms on our side is not cost effective, and there will always be room for doubt. There is also a risk for Yubico to host a service that is using username/password authentication, since that will become a target of attacks.

For the reasons above, Yubico is planning to decomission our YubiRevoke service on the 1st of October 2014. We advise customers to simplify their processes around revocation to not involve the YubiRevoke service. We will disable new YubiRevoke account registration on June 13th 2014, and disable adding new Yubikeys to existing accounts on the 1st of August 2014. Please find below a quick FAQ around this.

Q: If I lose my YubiKey what should I do?
A: You should login to the sites where you used the YubiKey on and change the account settings to use your replacement YubiKey instead.

Q: What if I can’t login to the site to change my settings?
A: Use the service’s authentication recovery method.

Comments are closed.