Two-step verification increases the security of your account by requiring you to provide an additional code to complete the login process. If your password is ever compromised, this verification will help prevent unauthorized access to your account. As of this morning, we've finally been able to add Yubikey OTP back to the list of available 2FA options. As a bonus, we've also added FIDO U2F but I wont be able to test it until my FIDO Yubikeys arrive later this week edit- keys arrived and FIDO works just fine . You can manage your 2FA settings here: https://www.survivalmonkey.com/account/two-step. this can also be found in the menu under your username at 'Two Step Verification' as seen to the right. You have the option to 'Trust this device for 30 days' when you login with 2FA and also an option to disable 'trust' on all devices at any time. You can enable none, one, some or all forms of 2FA at SM. SM currently offers the following 2FA Verification Code via TOTP App (Google Authenticator, Authy, or others) FIDO U2F - Yubikey FIDO or other FIDO U2F device Yubikey OTP SMS verification code to mobile device Email Confirmation Backup Codes FIDO U2F Supports YubiKey 4 (incl. nano), YubiKey Neo, FIDO U2F Security Key, YubiKey Neo-N, YubiKey Edge, and YubiKey Edge-N NOTE: FIDO U2F is currently only supported by Google Chrome as of (02/23/2016). This older thread gives some more background on 2FA although the options are not identical to our current options. Two-Factor Authentication | Survival Monkey Forums. @DarkLight @stg58 @Hanzo
a Question: do you like this better than the app verification? I'm just asking because I can keep up with my phone but one more stick seems like more stuff to track so I'm just wondering why you like this better.
Mainly increased security. I wear a Yubi on a chain around my neck and also have one on my keychain. They're batteryless, waterproof and generally indestructible too. Google's two step authentication generates a 6 character code of only integers (1,000,000 possible codes). YubiKey generates a 44 character key containing a 12 character identifier (public key) that does not change, as well as a 33 character unique one time use private key that changes every time you press the OTP button on your YubiKey, this is nearly 5 sexquadragintillion (5 followed by 46 zeroes) possible keys.
@Ganado I was thinking about your question a bit more on my drive home. This type of security is probably overkill for a forum like ours and better suited for accessing financial systems and maybe corporate systems. Since I'm a security nut (thanks @sec_monkey), I utilize 2FA wherever it's offered and I like to be able to test these systems here. It also shows our members that we really do want them to learn about and use the highest online security available. All of these extra security steps take some getting used to but to me now they're just a part of logging into something and I'm more comfortable that the only accounts at risk of getting hacked are (unfortunately), my bank accounts which are extremely lax in security or any form of 2FA. Bad banks So do we need a 5 sexquadragintillion code in addition to a username and password to access an account on SM? Not really but if it helps people learn security here where it's not critical, it's worth the cost we've incurred to purchase and develop these extra modules.
Thanks! @melbo for that thoughtful answer. I am looking at various security and I really appreciate the time you put into edumication for us ignoramus's =) (note I'm being silly not sarcastic) I do feel inadequate when you or sec monkey talk security and I have learned alot here because of you guys.
On the Yubikey OTP the random one time passwords look like this: cccccdhreflecejrgluechtgneenbuktukndcrnvurf ccccccdhreflnghbdfiuurnfechgddvcgiidfjrrceu ccccccdhreflblrukhdeduvcdruucdefirceinvtrhhl ccccccdhreflccgecljtdciuknnbtlivgigflibvcvtl And you can program your own second complex static passphrase. Plus they are not made in china, they are manufactured in USA or Sweden...not that china can't be trusted... If LinuxMint used them they may not have been hacked. Ubuntu & Canonical The leading open source community and sponsor company use YubiKey “We use the YubiKey, configured for OATH, as one of multiple authentication methods. The YubiKey is our preferred choice for our users and support staff, as it quicker and easier to use, in particular for systems requiring frequent authentication.” Ricardo Kirkner, Account Services Team Manager, Canonical Ltd, UK Yubico | Trust the Net with YubiKey Strong Two-Factor Authentication
SMS has been added as an option. Once you enter your mobile number, the system will text you a 6 digit code to enter. One thing to note is that all of this info is stored encrypted in the system. I cannot see my own details after I've entered them which is also how passwords are stored. We don't have access to them.
Was able to test FIDO U2F with my new Yubikeys - works fine and I think that's probably going to be the winning standard soon. More on FIDO U2F here: OTP vs. U2F: Strong To Stronger - Yubico blog | Survival Monkey Forums