As part of our ongoing commitment to high levels of information security, we've added another factor of authentication to critical systems.
Two-factor authentication has become something of an IT buzz-phrase in recent years. It's as old as the Linux hills, but the vast majority of people remained ignorant until the likes of Google started making a fuss about it and making it easier, with tools like the Google Authenticator for your phone.
At Code Enigma we've always had two factors of authentication on all our servers - your Code Enigma password and something called an SSH key-pair (if you care about the nitty gritty of how that works, here's a starting point) which means you have a secret private "key", a file on your computer, and only someone who possesses a copy of that file can access your server. Physical security, if you will. If that file never leaves your computer, someone would have to physically steal or compromise your computer to get it, so it's pretty secure. We actually insist Code Enigma staff encrypt their hard disks and have strict rules around key handling as part of our ISO 27001:2013 certification, which makes it even more secure.
This is a very rigorous approach, but there are still problems. Firstly, you are still dependent on users having a strong password for the Code Enigma password factor to be of much value, which means we have to set really strict password requirements, which people hate. No one likes passwords, EVER. They like them even less if they have to create at least one special character, at least three numbers, etc. etc. Secondly, SSH private keys can be mishandled and they can be copied. There's no way we can know an SSH key has not been compromised secretly and copied numerous times, distributed amongst a network of people with malicious intent, potentially without the owner of the key even being aware.
Enter the YubiKey. This is a neat little device you can pop on the same keyfob as your house keys, which is pre-programmed to generate a secure, single-use password at the touch of a button, totally unique to that device, which can be validated by a third party to confirm the device and guarantee we know the owner. The YubiKey cannot be hacked, it cannot be copied, it cannot be snooped upon. The only way to access a server protected by a YubiKey is to physically have the very YubiKey which is specifically permitted to access that server. In other words, you have to steal it. And as soon as it's reported stolen and deactivated in our systems, it is useless again, a little $25 chunk of plastic and metal.
Now, there have been questions about the concept of "BadUSB", the idea being it could be possible to alter the way certain USB devices behave by altering the software they carry "on board". But Yubico have been unequivocal on this, the YubiKey is not exploitable by the "BadUSB" concept. So that's good too.
What does implementing YubiKeys mean for us then? Well, it means a far higher level of certainty when authenticating someone than we had with SSH keys alone (though we still use SSH keys as well). It means we can relax our password requirements a little, because while we don't want our passwords to be silly-easy to crack, they certainly don't need to be as rigorous when they're only one of several authentication factors the bad people need before they can do any damage.
Another neat addition here is while Yubico offer an authentication service called YubiCloud, which is free to use and makes it easy to implement YubiKeys in your software, Yubico have open-sourced their Validation Server software, so you can - like Code Enigma - run your own validation service and be completely autonomous.
We're really happy with this solution, we hope our clients will embrace it too, and if you want to secure your Linux servers with YubiKeys, drop us a line. All that remains is to see it working:
Lovely picture of a tray of YubiKeys by Jamie.