Narrator: It isn’t.
Two short stories from a long weekend…
The success story
Microsoft are a bit stingy (in my opinion) by not including Bitlocker (the option to encrypt your disks) in home versions of Windows 10. It’s 2020, and this stuff should be on by default for everyone. Privacy matters.
Having said that, I sprung £40 for a nice reader offer in PC Pro, upgraded my new personal laptop to Windows 10 Pro, and found it had encrypted the drive for me – no need to turn it on specially. Nice! This encouraged a spot of optimism which lasted until…
The less successful story
I finally got round to buying a second Yubikey this weekend – with a second one set up (and kept in a very different place to the first), it should be possible to start relying on this and no other method of two factor authentication. A “security key” like this is much nicer than TOTP codes from your phone, not least because you don’t have to scroll through 40 of it (and you can’t be socially engineered into disclosing it over the phone or by e-mail).
I got it working, but it was quite a battle. LastPass is happy to let you register multiple Yubikeys, but it won’t start prompting you to use one on your phone (via NFC) unless you disable other 2FA methods first. Their UI and documentation are not great at explaining this.
For extra “fun” I then loaded up my air-gapped computer for working with my PGP master key (also known as an old Raspberry Pi – old enough not to have WiFi). In gnupg, writing private keys to a “card” such as a Yubikey is a destructive option which removes them from your keyring on disk. Fortunately the tutorial I used in the first place anticipated this, so I had a back-up of my secret key. However, it turns out that re-importing this doesn’t “un-stub” all the keys you wrote to the card. You have to completely wipe it from the keyring and import it again.
Then you run into some misbehaviour with pin/password prompts and have to Google for a config setting to fix that.
Then you discover newer Yubikeys require a longer “admin PIN” than your older one.
Then you discover the default tutorial on Yubico’s website doesn’t anticipate you having sub-keys for all three of encrypt, sign and authenticate, thus your first attempt wrote the wrong keys to the Yubikey.
Finally, you think it’s over, and you discover that GPG doesn’t really cater for the idea of multiple “cards” having the same keys on them, so you need to hack up a script to delete its knowledge of which card serial number has what secret keys on it, and run this either on a schedule or when a USB device is inserted.
I got there in the end, but given what a battle it was, I suspect the other people in the world with a twin-security-key setup like this are a select minority indeed. I really hope someone is making this stuff dead simple so it can be sold into the corporate world – then maybe one day home users will expect and demand it, and it will just work. Should give us all more time to harvest bacon from the passing flying pigs.
I haven’t even got to discovering how many of the small group of sites which support U2F allow you to have multiple devices registered, but no doubt most of them limit you to one…