I work as a developer at Yubico. Like a lot of developers these days I’m empowered to not only develop software, but to publish it and configure the servers it runs on. This means that I have access to many systems, to which I authenticate using different keys.
|The Key to Henrik’s Day|
|YubiKey NEO Feature||Authentication uses|
|OTP||Salesforce, Yubico Forums, WordPress|
|PGP||Signing code changes|
|SSH (via PGP)||Servers|
|NFC (+ OTP)||Unlocking office door|
|NFC (+TOTP)||Facebook, GitHub|
|Mifare Classic ID (+ code)||Unlocking door to office building|
I store these keys on my YubiKey NEO, from which they can never leave, and let it do all authentication and signing. This means I am assured no one accesses systems in my name, even if they’ve stolen my laptop or have my passwords.
To make this more concrete, I have documented a regular workday.
Entering the office building
The office building doors are unlocked using plastic fobs. Fobs are identified using their ID (Mifare Classic UID). Since my YubiKey NEO supports Mifare, I use it instead.
A few minutes later I swipe my NEO again to unlock the door to the Yubico Stockholm office. This lock (sold by KEYnTO) is more secure since it uses YubiKey One-Time Passwords.
Yubico, like many other companies, uses Google for e-mail, calendar and documents. Google encourages you to use a Security Key (U2F device) to protect your account.
Needless to say (since Yubico is a driving force behind U2F), I use my YubiKey for this as well.
Checking the forum
Yubico’s forum runs PhpBB and uses YubiKey One-Time Passwords as a second factor for authentication.
Checking Facebook during lunch
I’ve configured Facebook to “keep me logged in” on trusted devices. But when I login to Facebook (and Dropbox, GitHub, etc.) from untrusted devices, I’m asked to enter a 6 digit time-based code. To get the code, I just tap my NEO to my phone (the code is transferred using NFC). This has a couple of advantages:
- The secrets used to generate the codes never leaves my YubiKey, so I don’t have to worry about phone malware or securely wiping the phone when selling it.
- I’m not tied to a single phone. I can even use a friends phone if mine is out of battery.
Pushing code to Git
Today, I’m working on our developer portal, developers.yubico.com. After a few hours of coding, I’ve got something that I’m ready to publish. I type “git push” in the terminal, enter my YubiKey’s PIN and let it authenticate me to GitHub. My private SSH key never leaves the YubiKey.
Connecting to a server via SSH
My new code isn’t working as expected, so I SSH into the web server hosting developers.yubico.com to have a look in the logs. Once again, my YubiKey does the authentication.
Signing released software
I spent the afternoon adding some features to our U2F library for Java. In order to publish the release, I have to sign the artifacts using OpenPGP. Luckily, the build system (Maven) has a plugin for this. All I have to do is to type “mvn deploy -P release” and the YubiKey will sign the files using my PGP key.
Things I didn’t do today
I use my YubiKey for even more things. Here are some of the things that I didn’t do today:
- Logging into Yubico’s website that’s running WordPress, using FIDO U2F.
- Logging into Yubico’s Salesforce instance, using a YubiKey One-Time Password.