Unmaintained space

Store your TOTP seeds on a Yubikey

2022-02-28 677 words (~4 min) hardware software yubikey totp mfa vpn sysadmin openvpn opnsense

TOTP is a very common method that websites implement to provide a second authentication factor, and very often, it is recommended to use the proprietary Google Authenticator™ app on your Android phone. For years, I've been using the great andOTP app available in F-droid as a FOSS alternative, since I don't have access to the Play Store.
And yes, I know of Aurora Store, but I see it only as a workaround for people with no Google account, rather than a true solution to Google's hegemony in the smartphone world.

In any case, the main problem with this application-based solution is well-known: a smartphone breaks easily.
I've been carrying mine since 2017, which is quite a long time for such a device, and it's now starting to fall apart, with the screen already cracked, a battery time that I can't rely on, and a protective case in a disastrous condition, that I find pretty pointless to replace given the state of the phone.

Long story short, my ~~phone~~ second authentication factor can die anytime, leaving me in a state where I can only use my Yubikey on the websites I could activate it on, and no other solution than the recovery codes for the rest. This is pretty bad, and I wonder how people who don't have Yubikey-like solutions do when they drop their phone from a bit too high...

Solutions to that are multiple:

Do nothing and keep recovery codes for bad situations.
Use a desktop TOTP app, which is not a very nomad solution when I need to access an account from a friend's computer.
Store the TOTP seeds in my password manager, which breaks the principle of dividing the different MFA information.
Store the TOTP seeds directly into my Yubikey, which is a nice solution I only recently discovered: the secrets are well-protected, in a very hard to break device, that is also very lightweight, and that I can keep stringed to my belt (as I already did anyway). In addition, it brings consistency for my second authentication factor, even with website that don't support FIDO2-based MFA.

The last solution is moreover very easy to set up, thanks to Yubico's nice work:

Want a GUI? Go for the desktop app: https://github.com/Yubico/yubioath-desktop
Want to script? A CLI solution is here: https://github.com/Yubico/yubikey-manager

Both software are cross-platform, easy to install, packaged in most distributions, and their UI is pretty straightforward. They allow me set a password to protect the access to the codes (a Yubikey can still get stolen!), and I've yet to find the limit to the number of seeds I can store (currently 19!).

Another nice use-case for this, is to provide a TOTP-protected OpenVPN access to some people without the complexity of PAM-based or PIV-based solutions. OPNsense makes that server configuration very easy.

As a good friend reminded me, super top-notch TOTP becomes very less useful when you already have strong and unique passwords everywhere through a password-manager. So go use one! There are plenty available!
Still, 2FA doesn't hurt, particularly when you are the one enforcing it from an admin perspective: even if you generate strong and unique passwords for your users, you can't rely on them for keeping them safe indefinitely. Having their access protected both by something they know and something they own is a welcome peace of mind for me.

Also, for some very important accounts, I'd say better safe than sorry, and I personally don't mind the extra security step.