Re: TOTP apps, and WebAuthn recommended devices?

[Taylor R Campbell <campbell+netbsd-users%mumble.net@localhost>]

> Date: Thu, 23 Mar 2023 09:51:17 -0400
> From: Greg Troxel <gdt%lexort.com@localhost>
> 
> One thing is TOTP.  There are Android apps from f-droid (which suits me
> but not everyone), and there is vaultwarden which should allow bitwarden
> to do TOTP.  I wonder if there are good TOTP programs in pkgsrc and what
> people recommend.

TOTP -- also called `authenticator app', and usually presented with a
QR code and an optional base32 string as the key -- is a very simple
standard protocol defined in RFC 6238, with reference to RFC 4226.

security/oath-toolkit is a command-line tool to manage a collection of
TOTP keys.  security/py-otp is a very simple Python library.  I use a
fragment of Python code with security/py-cryptography[1], from before
py-otp was added to pkgsrc.

For Android and iOS, there's also a free software app called FreeOTP
from Red Hat (in Google Play and F-Droid): https://freeotp.github.io/

In Firefox, the Bitwarden browser extension can automagically handle
TOTP keys.


However, you should be aware that _TOTP is vulnerable to phishing_.


If you inadvertently open gmai1.com instead of gmail.com and are shown
what looks exactly like a Google login page, entering a TOTP (or SMS)
code alongside your password gives the adversary everything they need
to break into your account.

In contrast, using only password + U2F/FIDO/webauthn security key
defeats phishing.

It defeats phishing because the browser cryptographically binds the
web site origin (gmai1.com vs gmail.com) into the protocol between the
security key and the server.

The user experience of U2F/FIDO/webauthn is also better because you
just tap a button -- no need to keep state on a phone, configure keys
into it, or copy & paste magic codes from one device to another.

One device (plus a second one as a backup!) works for as many sites as
you want, and for as many different accounts at each site as you want
(work, personal, whatever).  Directory of sites with support:
https://www.dongleauth.com/

For most uses, the words U2F, FIDO, FIDO2, and webauthn all mean
essentially the same thing, so I'll just say FIDO here.


> The other thing is WebAuthn which is apparently the new U2F.  I'd like
> to get some security keys for this, probably 3 (carry, non-carried
> backup, offsite cold storage) for long-term availability.  What devices
> are recommended, meeting:

All FIDO USB security keys will work out of the box on all modern
desktop/laptop platforms (including NetBSD 9), and all FIDO NFC/USB
security keys will work out of the box on all modern smartphones from
the last four years or so, in all major browsers.

You should pick according to the interface and form factor you need
(and what you can easily find nearby or get shipped to you).

A good choice to start with is NFC and USB-A or USB-C, so you can use
the same key with a phone and a laptop, like these:

https://www.yubico.com/product/security-key-nfc-by-yubico-black/
https://www.yubico.com/product/security-key-c-nfc-by-yubico-black/

Typical interfaces:

- USB-A
- USB-C
- Lightning (Apple proprietary)
- NFC
- smartcard contact
- Bluetooth LE

Typical form factors:

- keychain-oriented -- like a house or car key but with USB

  https://www.yubico.com/product/security-key-nfc-by-yubico-black/
  https://solokeys.com/products/solo-tap-usb-a-preorder?variant=27688204271680
  https://shop.nitrokey.com/shop/product/nkfi2-nitrokey-fido2-55
  https://www.ftsafe.com/Products/FIDO/NFC
  https://store.google.com/us/product/titan_security_key?hl=en-US

- nano -- barely sticks out of the USB port, so you can just keep it
  plugged into your laptop all the time

  https://www.yubico.com/product/yubikey-5-nano/
  https://solokeys.com/products/somu-tiny-security-key-two-factor-authentication-u2f-and-fido2-usb-a

- credit card -- NFC/smartcard only, not well supported outside
  Windows yet, not a lot of retail market, seems to be mostly for
  corporate id badge deployments

  https://neowave.fr/en/products/fido-range/badgeo-nfc-fido-2/
  https://shop.cryptnox.com/products/cryptnox-fido-2-card
  https://gotrustid.com/products-idem-card/ (has battery for BLE)
  https://www.hidglobal.com/products/crescendo

- other

  https://shop.ledger.com/products/ledger-nano-s-plus
  https://authentrend.com/atkey-card/

You can vet a product with the FIDO certification database:
https://fidoalliance.org/certification/fido-certified-products/

You can try a key out without risking locking yourself out of any
accounts here: https://demo.yubico.com/

If you want to add support to a web site: https://webauthn.io/


Answering some specific concerns you had:

>   allow enrolling in a bunch of different sites (dozenish, not 1000s)

FIDO keys have no limit on the number of sites.  There is no state
stored on the device[2], except for a count of the number of
signatures it has made, which is revealed to the server so the server
can detect cloned devices.

>   work on NetBSD with firefox (netbsd 9 amd64 at the moment)

All certified FIDO USB keys will work out of the box in Firefox on
NetBSD, on all architectures.  (If you have trouble, please let me
know!)

>   work on Android with free software only, preferably with NFC

All certified FIDO USB and NFC keys will work out of the box in all
major browsers on Android.  (Probably also iOS.)

>   work on GNU/Linux and macOS

All certified FIDO USB keys will work out of the box on GNU/Linux and
macOS in all major browsers (Firefox, Safari, and Chromium-based
browsers like Chrome and Brave).

Also: All certified FIDO USB/NFC/smartcard keys will work out of the
box on Windows too.  NFC/smartcard through a USB reader is coming for
Firefox on NetBSD (and maybe other platforms too) but not there yet.

>   available from a vendor that I've heard of
> 
> I am not super concerned about state-level supply chain attacks, but
> since I know some of you are Wicked Paranoid as we say in Boston, bonus
> points if I can walk into Walmart/Target and pay cash :-)

Using password+FIDO as 2FA mitigates supply chain attacks to some
extent because the FIDO key itself is not a single point of
failure[3].

I checked to see if Microcenter has any of these in stock to buy
anonymously with cash, but I couldn't find any.  Maybe if enough
people telephoned Microcenter and asked about it they would start
stocking some FIDO keys.

Best Buy appears to have some Ledger devices in stock right now near
Boston, in Watertown, Everett, and South Bay:

https://www.bestbuy.com/site/ledger-nano-s-plus-crypto-hardware-wallet-matte-black/6502680.p?skuId=6502680

> It looks like the Yubikey 5 might fit the bill.

FYI: With the Yubikey 5 vs the Yubico Security Key, you are paying 2x
for functionality that isn't necessary for FIDO.

If you really want to deal with the pain of handling extra software
configuration tools to manage state for OpenPGP card or PIV or
Yubico's proprietary OTP system, that's fine, but it's a waste of time
and money for most people.

So if you like Yubico's form factor (which I do) I recommend the
Security Key NFC or the Security Key C NFC, unless you have a specific
need for non-FIDO functionality.


[1] What I use for TOTP:

    import base64
    import time
    from cryptography.hazmat.backends import default_backend
    from cryptography.hazmat.primitives.twofactor.totp import TOTP
    from cryptography.hazmat.primitives.hashes import SHA1
    TOTP(base64.b32decode('...', casefold=True), 6, SHA1(), 30, backend=default_backend(), enforce_key_length=False).generate(time.time())

[2] Some applications, like obnoxious corporate enterprise deployments
    or some self-inflicted mistakes, require software tools to
    configure PINs and `resident keys' on FIDO keys.  The original U2F
    keys won't work for this; only newer FIDO2 keys do.

    I advise you to ignore all this unless it is absolutely necessary
    to deal with an obnoxious corporate enterprise deployment that
    made this mistake.  Outside such environments, the only place
    you're likely to see PINs and resident keys is as an option in
    OpenSSH ssh-keygen(1), which you can ignore -- you can just use
    `ssh-keygen -t ecdsa-sk' to generate a FIDO ssh key pair with no
    PIN.

[3] If you use FIDO-with-PIN instead of password+FIDO for anything,
    then the FIDO key does become a single point of failure -- and the
    compatibility and user experience is worse.  So I advise you avoid
    that.