Feature request:Yubikey 2-factor support?

[kingmatusevich]

I know right now maybe it's not top priority, but I wanted to put it out there, whenever you get the chance, maybe show the Yubikey a little love and add 2-factor support for online operations (plus of course the usual 2-factor software usual suspects, e.g. Google Authenticator)? I think second factor eventually should be added and it makes sense that a strong, hardware based competitor like the yubikey could be in the mix. I feel the crypto community would feel glad if you did.

[timbray]

There’s this thing called the Fido Alliance, led by Yubi and a competitor, Nok Nok, who are trying to write a standard protocol so you could do portable 2-factor without locking yourself in to a dongle builder. Assuming they actually deliver something useful, that would be an attractive candidate to use.

[DanielMason]

I would be happy with Google Authenticator, but any 2FA will be better than none.

[ghost]

There are actually already some plans to support 2FA. @maxtaco described it inside the Wiki. This said I would also like to see this a thing.

[WowSuchRicky]

How's this going? I would be happy to help somehow, but haven't really worked with these protocols before.

[oconnor663]

We're not working on 2fac directly right now, and that wiki article is kind of out of date. The main reason is that the way private keys will work in the future is pretty different from how they work now. Rather than having your identity tied to One PGP Key To Rule Them All, the goal is for you to have a key for every device you own, which is generated on that device and never leaves it. Once that's up and running, those keys will be your second factors. Or really first factors, since a random 256 bit key is a lot stronger than the passwords most people pick, and very difficult to phish. They also have the benefit of being a secret that the server doesn't share, so they can protect you even when your attacker is the server itself.

So long story short, we will end up with something that looks a lot like 2fac, but it will probably not involve Google Authenticator.

[ghost]

What happens with the people who not only use keybase but also the Web of Trust and therefore don't want new keys since they are not really usable in the WoT?

[oconnor663]

@dtiersch We plan to always support PGP keys alongside new style (NaCl) keys, so you won't have to give up the WoT. If the original key in your account is a PGP key, you could also interpret the NaCl keys as being part of that WoT, since they will all have been (directly or indirectly) signed by that PGP key.

[zQueal]

We're not working on 2fac directly right now [...] the way private keys will work in the future is pretty different from how they work now

Even still, I have to say--that's very disappointing. I think I understand the new key system that you guys are trying to implement and I'm still a little weary to use this personally (not just for testing) with my actual PGP key (personal/work) without 2fa. I know the tech in and of itself isn't fallible, but I feel so much safer with it enabled. Especially so when I plan to upload my private keys to Keybase in the future.

Have you removed it from the roadmap? Or simply aren't focusing on it right now?

[hkjn]

Is there some update available here? (I.e. giving this issue a priority label, assignee, rough roadmap estimate, ..)

Even as a placeholder for a future solution, I'd be happier using and promoting keybase.io if it allowed us to protect access to the web UI with 2FA via Google Authenticator.

[WowSuchRicky]

@hkjn second this. Even if not Yubikey, some sort of universal 2FA like GA would be great. And again, I don't know the project very well, but willing to "donate" whatever spare time I have towards helping out with this if someone reaches out.

[mhalano]

Any news about that? Authentication using OTP and specially U2F is a important feature in security services like LastPass. A lot of services like GitHub, Dropbox, etc. Already support U2F.

[jaycollett]

While I understand the one key per device idea, implementing OTP 2fa or the like isn't complicated and if nothing else, helps educate the need for individuals to take more responsibility for security.

[junderw]

With the password alone, a malicious person could reset all my keys without access to my "first factor" devices.

Less importantly they could also mess with my notification settings or my bio and name etc.

The latter is less important... but if @oconnor663 and the rest of Keybase really want to push this "first factor" method, they should do the following:

1. Require a provisioned device to approve the reset of all keys.
2. Disable encrypted private key uploads by default and notify the user that "if you upload an encrypted private key, your private key is only protected by the password and there is no second factor protecting you." if they do decide to do so.

... otherwise, it would be great to have a 2FA based on provisioned devices. ie. if someone tries to log in on the web UI, you are sent a chat message with the otp.

Or totp based 2FA is simpler and would suffice.

My method of security == just never log into the web UI.

[naiagoesawoo]

I support the addition of 2FA Support, preferably with FIDO2 hardware keys and TOTP as options. SMS Verification is inherently insecure.