About Freedom of the Press Foundation (FPF)
Freedom of the Press Foundation is a 501(c)3 non-profit organization supporting public interest journalism through cutting-edge technical support, advocacy, and education. FPF is built on the recognition that transparency journalism doesn’t just happen. It requires dogged work by journalists, and often, the courage of whistleblowers and others who work to ensure that the public actually learns what it has a right to know.
Below is an interview with Harlo Holmes, Director of Newsroom Digital Security, at Freedom of the Press Foundation.
Why and where has FPF deployed strong authentication?
Internally, all staff use YubiKeys for both Universal 2nd Factor (U2F) and GPG (GNU Privacy Guard). Without our YubiKeys, we could not responsibly secure important communications, and our accounts on the multiple frameworks we use to get our jobs done. In our digital security training program, we also strongly advocate using YubiKeys to each client we train (for U2F at a bare minimum).
Why did FPF choose the YubiKey for strong authentication?
Durability, trust in Yubico, and price are all huge factors in our decision. Other hardware options in the market are bulky, brittle, and expensive to replace. As far as U2F goes, it’s nice to have multiple YubiKeys for a variety of purposes, including back-up. Nice prices make that possible.
What work was required to integrate the YubiKey into FPF authentication?
FPF had seen the benefits of using YubiKeys for U2F since the very beginning. All employees are required to enable two-factor authentication on all accounts, and use the hardware token option wherever available. Before the YubiKey 4, we were using smart cards from another vendor; most of us switched over to YubiKeys either once the original hardware broke, or when we changed PGP subkeys.
How do you handle initializing the cryptographic secrets in the YubiKeys?
We all studied how to properly initiate a YubiKey 4 as a GPG smart card. That task only really required a few packages (which we installed on our Debian machines). The process to push a PGP key to a smart card can be daunting, but that goes for any smart card — not only YubiKeys. U2F works out-of-the-box; nothing was necessary to get started there. In some cases, we also advocate using YubiKeys as the second factor for SecureDrop instances (since it works well with the 2FA PAM module installed on the servers). We do not yet have a policy on using YubiKeys for full disk encryption (FDE), but some of us have explored that functionality on our own, out of curiosity.
What has the user experience feedback been?
Journalists in our training really love their YubiKeys. We have only had a handful of trainees using YubiKeys as GPG smart cards, and they tend to be tech-savvy enough to navigate the card-edit functions. Those trainings took a bit of hand-holding, but luckily the accompanying software from Yubico doesn’t take much time to install, and once that’s done, the tough part is wrangling with OpenPGP. The vast majority of our trainees have only been using it for U2F, and they love it because it’s incredibly easy. I’ve also started to notice that YubiKeys work very well with “dumb phone” users, older users, and people who are less technically-savvy. The physicality of the object seems to give them more confidence that they, too, can be more digitally secure, even when the digital world seems hard to navigate.
What is your experience working with Yubico?
Excellent support from the Yubico sales team, for which we are very appreciative. We also feel well-connected to the company enough to ask any questions, regarding usage, training, or even highly technical ones. This transparency and accessibility goes a long way in establishing trust in the company.
Find out more about YubiKey for Businesses