My practical security talk has a section on two factor authentication where I normally whip out my phone and talk about Google Authenticator app. Google Authenticator is perhaps the most well known method for providing that second factor (ignoring email/sms) however others do exist including security tokens.
The second thing I get from my pocket is a Feitian ePass which is what I use as security key and have done so for a while. I’m often asked if I recommend Feitian device over Yubikey and there is some interest in how to setup Security keys for WordPress so this post will cover both.
Once upon a time
My original security key was a Yubikey I had it for years and implementation was pretty clunky. At one point I was running my own Validation Server to “simplify” things. Since then things have improved a lot for both Yubikey and Security Keys. The key itself was reasonably robust right until I drove over it in one of those super funny to look back on moments. With it’s passing I switched to using Google Authenticator and our tale drifts into history.
Roll on a couple of years and I was getting a new shiny phone (One Plus 5T) this was my first major phone upgrade for years my previous Moto 4g had served me well but had nothing on the new phone. I was excited to start playing with NFC and had already considered getting a new security token with NFC so it would work on the phone and the Mac.
Indeed my requirements were pretty simple:
- Implement U2F specification (Which is becoming the defacto Security Key standard)
- Work without issue on CentOS/Ubuntu and MacOS
- Have NFC support to work with my then new phone
Thankfully a month earlier Adam Langley had done a great blog post rounding up the current crop of Security Keys so I wasn’t starting from scratch. Armed with my list I had realistically two choices the Feitian ePass or the YubiKey Neo.
The YubiKey Neo (not to be confused with the Nano) is really feature rich and supports a range of protocols beyond that of U2F, it’s also nearly 4x the price of the ePass. Still it had a lo going for it, including the fact Yubikey is the major player in this market.
It’s probably worth mentioning at this point that Feitian is a Chinese company and has a mixed reputation with several folks accusing of it working with Chinese authorities. These seem really valid concerns especially if you are worried about the threat of state actors or corporate espionage. As such you probably shouldn’t be considering these keys if you work for a Government agency or at a top secret research facility. For me with pragmatic tin foil hat the risk is limited and this is a second factor, so should it be compromised they would still need to know my password to exploit it.
With fears relayed two ePass were on there way from Amazon, two?
Whenever I register a security key on a site, I register two my primary and the backup that goes in the safe. Should my primary key be lost, the one in the safe can be retrieved and used to disable it across multiple sites. Most sites that support U2F support things like HTOP & OTP tokens via Google Authenticator so it is possible to use just one token. You can then use your alternate factor to login. However for the price, it seems simpler to just buy two tokens.
When they arrived, two little brown packets, each containing a key and well nothing. No instructions, warranty or anything like that just the key and a QR code on the box. Scanning the QR code took you to a URL containing a PDF, downloading and opening the PDF to find…
The PDF was a single line containing a URL to another PDF with a manual in Chinese. I will admit some of this did cause me to pause. I mean how hard is it to 301 a link? Anyway a Google search found the actual manual which was about as useful as you would expect. Marketing guff, spec sheet and a tutorial for syncing to your phone that didn’t match anything.
So did it work?
Getting it working with a Google Account was fairly easy though importantly you MUST already have Google Authenticator setup and working for the option to attach a security key once you have the security key(s) added you can remove Google Authenticator. Why this is the case I don’t really know but it was a gotcha that took me some time.
Second big gotcha the NFC side of things only works on compatible apps on your phone with the only browser being Chrome. So to be able to login and use the security key you have to visit the site using Chrome for android on your phone. Also NFC is really low powered meaning the key has to be very close to the NFC chip on your phone. All the diagrams show put your key in the centre of your phone and doing so makes you look suitably silly. Instead for the OnePlus 5T you need to place the key at the top adjacent to the camera. However once I had this figured out it’s fairly smooth process.
Adding to other sites which support U2F was fairly simple for Facebook & Github (though again needed to have enabled two factor with another device first) the number of sites that support U2F is still small and there are some noticeably big names missing on the list Amazon and Paypal. The later is particularly annoying as they are part of the group of companies that came up with the specs.
Enabling U2F security keys on your WordPress Site
Getting a security key working on your site is fairly easy. The first step is to install Two-Factor plugin. This is a feature plugin, the goal was to get this into WordPress core unfortunately that plan seems to have stalled but this is still probably the best two factor authentication plugin available currently. I would recommend doing the initial setup with the key plugged in via USB on a PC as opposed to NFC.
- Once installed go to your user profile and navigate down to Two Factor Options.
- Click Enable for “FIDO Universal 2nd Factor (U2F)”
- Save
- a new section called Security Keys will appear on the page
- Insert your Security Key into USB and click “register new key”
- Press the button on your key that’s now flashing
- Done
The existing keys registered will be shown, along with when they were registered and last used. Keys can also be named and revoked.
You can enable other factors as well, setting your preferred factor as the primary choice.
When the user nexts logs in, they will see the normal login option. On successful login they will be presented with a new page and asked to insert their security key if on the desktop. They then insert the key and press the button and are redirected automatically.
If using Android, Chrome and NFC when clicking through on successful login, they will be redirected to Chrome internal checker and asked to present the key to the NFC reader. Once done it loops back through.
I particular like the fact that unlike many other plugins two-factor puts its dialog after successful login. This means its possible to use plugins that replace the standard login and still use two factor. It also means that the flow is identical when two factor is enabled thereby presenting a more consistent user experience.
So is it worth it?
I think so, hardware tokens for me are simpler and less fathy then using Google Authenticator which I know is subjective. Also it reduces the reliance on my phone all be at the cost of yet another device. Specifically the Feitian ePass its pretty robust, the lack of documentation is a tad annoying but it seems well built and reliable. It’s also cheap enough that having backups is not going to break the bank. The NFC capability is limited by it only really be usable in Chrome on Android. This may change as other browsers implement U2F spec. However its currently annoying as Chrome is not my primary browser on my phone. All in all I’m pleased with the keys and would recommend them. While you can’t do away with Google Authenticator entirely but they are a great start.