Token setup guidance: Create high-quality educational materials for OSS maintainers about how to use hardware tokens to protect their projects

[jnaulty]

I think we can start with the most basic use case for a hardware token (using as a 2FA device for protecting digital accounts).

• google account 2FA hardware token usage
• github account 2FA hardware token usage/setup

My favorite resource for setting up Yubikeys is: https://github.com/drduh/YubiKey-Guide It is a bit 'exhaustive' though, and probably isn't the best guide for newcomers.

A group called hashbang has a book that has useful information for various hardware tokens: https://book.hashbang.sh/docs/security/personal-hsms/ as well as some guides on setting up 2FA: https://book.hashbang.sh/docs/security/2fa/

[joshbressers]

I spoke with @david-a-wheeler a bit today on the planning committee call today and offered to help with these docs. I've done some writing on setting up yubikeys to do ssh and gpg in the past (so long ago I can't even find what I wrote)

I want to restrain the scope of the documentation

The features of the Titan Security Key and Yubikey are different (this is based on my current research, I have a Titan Key in the mail at the time of writing, I can clarify some of this once it arrives). The Titan supports FIDO MFA. Yubikey supports FIDO as well as a number of other features I don't want to list.

For example the Yubikey guide mentioned above explains how to use the key as a smart card to hold encryption, signing, and authentication keys. In my past experience making a yubikey work as a smart card is non trivial and generally fragile. This is not the fault of yubikey, all smart cards suffer from this problem.

As such, I want to focus on how to use FIDO MFA in the guide. this should mean we really only need one guide for both yubikeys and titan keys which will be good for the key recipients.

[joshbressers]

Here is the start of this guidance https://github.com/joshbressers/great-mfa-project/blob/main/guide/key-usage-guide.md

I won't try to submit a PR until it's more complete. I would welcome feedback on the basic structure and themes

[david-a-wheeler]

Please create pull requests ASAP. We need to have the docs ready by December 2, 2021, which is in only a few days. We thought we had a lot more time, but we just learned that the Google coupon codes expire at the end of this calendar year!!

Yes, that's a really short deadline. However, I think we can primarily point to other existing materials, or develop short specific guidance for specific cases. Many of the problems we thought we'd originally have in safe distribution are resolved by us not doing the distribution at all, we're only distributing coupon codes / validation codes. Also, by asking the projects to identify their key individuals, we don't have to do it (the projects best know who to contact anyway).

[joshbressers]

Here you go @david-a-wheeler https://github.com/ossf/great-mfa-project/pull/22

[joshbressers]

While working on this guide it's become clear there are some additional work that probably needs to happen.

• NPM does not support FIDO keys
  • They do support TOTP tokens and you must supply the token on the command line when uploading a package
• PyPI supports FIDO keys
  • You do not need any sort of 2FA to push packages, even if it is configured. 2FA is only for the website
• RubyGEMS does not support FIDO, they do support TOTP

I just want to note this here for the moment, I don't know what we want to do with this info. My only concern is guide content for now

[david-a-wheeler]

We've merged in some educational materials. Improvements would be welcome!!

[bkmgit]

Would you also expect to support Open TOTP hardware, for example: https://github.com/rrozestw/TOTP-Arduino This would allow for reduced shipping costs, development of technical ability in many regions, critical review of both hardware and software, some innovation in ease of use and hence increased security. As an example NIST usually sponsors open competitions for cryptography standards to ensure security and community inspection.