Yubikey with gmail : too much for average user
A small review on the two-way authentication for gmail and the combination with the yubikey.
When I first discovered the Yubikey I thought it was very clever. It’s an easy way to combine passwords in a secure manner on a physical USB key.
If you want to learn more about this One-Time-Password generator, check out their company website at http://www.yubico.com .
I first tested the Yubikey itself, with success… the technology works fine, and with the version 2.2 and up, you can even add a static password too on a second ‘slot’ on the key.
You can use a few (not that many I discovered) services like clavid.com and wikitravel.com with it, and even install firefox addons for it like the Keygenius
(although I never got that working for me… there’s a limit on how much time I want to spend on figuring out how to make such addons really work for me).
The main thing is that I wanted to use the Yubikey for activating the gmail 2-way authentication, but instead of having a code sms’ed to me by google, I wanted to use the OTP generated by the Yubikey.
This failed miserably. Not because it didn’t work, but because it’s close to unusable from an implementation point of view.
I administer a domain that’s useing Google mail through Google Apps.
To log into the mail with two way authentication with the Yubikey for all my users on the Google apps would mean that they can easily log in, while keeping an extra security on top of their current password.
I’ve tested this on my own mail account first and discovered that thing became more complicated this way.
First of all: the yubikey, despite what their website says, it not compatible with the gmail 2-way authentication system.
They use a trick to make it work, but the yubico OTP generated password is never used to log in, instead it used the hash-password slot.
First of all , I’d need a third slot for this on the yubikey, since the first one is taken and used for the OTP, the second for a bunch of services that use a static password.
I ended up, for this test, to wipe the second slot and go for the two-way auth as explained on the yubico website.
Second reason that this is not really possible to implement is the Hex-key conversion. You first activate the gmail 2-way authentication, then trtick the system into giving you a
generated google key (as a backup of a fingerprint key or something) and then you’ll need to put that key into their converer excell sheet to get YET another key to… ah well, it’s like playing one of these endless adventure games. You get a key from a chest in a cave and open a box with another key to unlock a door to a castle with another cave…
I’m not going to put my users through all this (excuse me for the language) ” nerd-shit” . Users on my domain just want to be able to log in, … a setup or discovering something new (even simple things like google+) is a huge step up every time. The learning-curve needs to be as short as possible, certainly for authentication…
The way it should be:
1- You type in your gmail and password (users know how to do this already)
2 – When you activate gmail 2-way authentication, AND clicked a checkbox ‘I use yubikey’s OTP system’ on the account page; you point your cursor to the yubikey box and generate your password by pressing the button on the Yubikey.
3 – Then you’re logged in.
Don’t tell me google and yubico can’t sit together with a few brilliant coders and make this work?
In any case, the Yubikey is GREAT, don’t get me wrong on this, it’s only a pity that the main reason I wanted it is not working out to be easy or usable at all. In the meanwhile I stick to using it for a clavid OpenId account. That’s enough for now…
m.