IndieAuth with Yubikey

On Friday, Stina Ehrensvärd blogged Firefox Nightly enables support for FIDO U2F Security Keys. She notes that “in the near future, 80% of the world’s desktop users…will benefit from the open authentication standard and YubiKey support out of the box.”

Strong authentication support in the browser is important, not just for private high value transactions but also for public authenticity. Your identity need not be confined to one website that supports strong authentication. You can easily use strong authentication when logging into to any website that supports IndieAuth with your own domain name as your login identifier using your yubikey device instead of just using a password or a weak 2nd factor. Although people viewing your activity or content on that site cannot confirm that you used strong authentication, you can greatly reduce the risk that you will be impersonated. Impersonation isn’t a big problem until it happens.

Let’s see how this works with Github which supports yubikeys. To set up Indieauth on your personal domain, include a rel-me link to your github url. If you view source right now, you’ll find the link I use:

<a href="https://github.com/herestomwiththeweather" class="icon github" title="GitHub" rel="me">

Then, make sure there is a link back from your github page to your personal domain. At this point, you should be able to use Indieauth with your personal domain.

If you haven’t already configured 2 factor auth for Github, you’ll first need to do that either with SMS or a mobile app. After that you can add your yubikey device by visiting https://github.com/settings/security/:

pic

If you click the edit button on the right under two-factor authentication, you can register a new device in security keys:

pic

You are asked to give the device a name:

pic

Then, with it plugged into a usb port, register your yubikey by tapping it:

pic

Your yubikey has been succesfully registered:

pic

Now let’s log into the woodwind.xyz indieweb reader:

pic

Click login to sign in with indieauth:

pic

Let’s use strong authentication with a yubikey so click on the green button that says github.com.

pic

For this example, the browser is not logged into github yet, so both a password and yubikey are required to log into github. After providing a password, github redirects us to a page that prompts for pressing the usb attached yubikey.

pic

Github returns an OAuth token to IndieAuth.com:

pic

And we’re logged into woodwind.xyz!

pic