Enabling/Disabling Interfaces/Protocols on YubiKey

Ask the Community Password Manager
,
1

Hi,

Would anyone care to comment on the pros/cons of enabling/disabling Interfaces/Protocols on YubiKeys ?

I’m currently using a single YubiKey 5 NFC which suits my needs at the moment.

Pretty much only need the YubiKey for Bitwarden/Outlook.com/GMail although I can see an obvious use case for using it for the financial institutions I’m registered with. Probably just a matter of time before they implement passkey support.

Currently all USB/NFC Interfaces are enabled on the YubiKey and as I’m not having any current problems with the key I’m quite happy to leave it that way.

However, I’m particularly interested in the possible security implications of leaving the key in that state. Don’t want to develop a state of raging paranoia about it, but nor do I want to leave all the Interfaces enabled if there’s possible security implications I hadn’t considered.

Any comments anyone ?

Cheers.

2

Yes, what will you do if the single Yubikey dies, is lost, etc?

3

Hi,

I’ve thought about that. Before I started using Bitwarden/YubiKeys I had all my login IDs/Passwords stored in encrypted files using VeraCrypt.

I fully intend to carry on using that method as a fallback/backup in case there’s some point in the future where I can’t access Bitwarden’s servers/services (for whatever reason).

If I’m going to store sensitive data like that in the cloud, I need to be prepared to ask myself what would happen in a worst case scenario if I can’t access the Bitwarden Vault ?

Having locally available plaintext files (albeit encrypted) still seems like an idea that works for me. The only thing I need to remember to do is any logins I add to the Bitwarden Vault I need to remember to add them to Veracrypt’s encrypted files and sync the encrypted files between the 2 PCs I currently use over the network. Takes seconds/minutes to do. The one issue I haven’t looked into yet is getting the encrypted file onto the smartphone and being able to unencrypt it there. Don’t currently know if that’s possible, but as I rarely use the smartphone to access the web services that require my user IDs/passwords, it’s no big deal for me going forward.

Cheers.

4

I do not see any security implication in having an interface for an application that you don’t use enabled on the yubikey.

For example, I have disabled OATH both on USB and on NFC, because I don’t use it (not because it’s insecure leaving it enabled).

I use yubico otp for logging in on bitwarden cli, but I never use it on mobile, so I had it enabled on USB and disabled on NFC.

You can disable any app on any interface you don’t use. If you need it later, then just enable it.

But I don’t think you yubikey will be more secure if you do so.

5

Cheers kpiris for the feedback. As I’m a bit of a lazy sod (and until something/someone tells me otherwise) I’m quite happy to leave all USB/NFC Interfaces enabled on they key. If it ain’t broke, why fix it ?

Cheers. :slight_smile:

6

@reachnet

… Sorry for the delay, but I now did test it a little bit - some things are quite clear, some things were not to me, so here’s the whole list (interfaces for YubiKey 5 at least):

OTP → activate it, if you use the Slot 1 / Slot 2 thing…

FIDO U2F (= “FIDO1”) → if you want to allow FIDO(1) / U2F, activate it

PIV (personal identification verification) → mainly for US government usage and if you use the YubiKey as a “smartcard”, I think… so I guess, if you need PIV, you already would know about that

FIDO2 (in theory: WebAuthn + CTAP) → especially if you want to use passkeys on your YubiKey, then activate it

OpenPGP → if you uploaded an OpenPGP key (or something like that?) to your YubiKey, then activate it

OATH → if you use TOTP codes on your YubiKey with the Yubico Authenticator app, then activate it

→ and choose by yourself, whether you need USB and/or NFC for those services, you need activated

PS: Personal note: I now decided to deactivate the interfaces (USB and NFC) for OpenPGP and PIV, because I really don’t use them…

PPS: … but, when every interface is activated by default, I I would hope, that it is not completely insecure, otherwise Yubico wouldn’t do it (again, I hope)… on the other hand as a sidenote: the “default settings” are often not the “best” settings… (but the settings, which fit most of the people and don’t cause much problems… so maybe, everything is activated, so that no user has problems using everything… - one last thought: but as long as there are no informations “behind” an “interface”, I guess then nothing serious could be “leaked”/“abused”, so not really “dangerous”/“insecure” in that way)

7

Hi,

Many thanks for the effort you have gone to m8. Hope I didn’t put you to too much trouble ? Hopefully your response will help others consider whether or not they should enable/disable interfaces on YubiKeys.

From a purely selfish and personal perspective and as I have been fortunate enough to be able to retire from work early and am currently spending most of my time at home (and loving it), I don’t really need to be concerned with the security implications of which interfaces are enabled on the YubiKeys, other than from a purely personal viewpoint. As you pointed out, others who could be doing work for the Government or whatever may have a different agenda and may have to approach the issue in a more serious manner than I do.

I’m just going to leave all the YubiKey Interfaces enabled at the moment as I’m not having any issues. Anything for a quiet/easy life.

All the best m8.