Yubikeys and U2F make two-factor authentication easier

Written by Craig Kerstiens
February 1, 2017

We're excited to announce U2F Fido (Yubikey) support for Citus Cloud to make the experience of keeping your account and data secure even easier. Within the Account Security section of the Citus Cloud Console you'll now see a section to add your new device. If you already have a U2F click Register New Device then you'll be prompted to activate it, and you're done.

If you already have a Yubikey then you know all the benefits it brings, however when testing many of our customers were unaware of them or weren't using them already. We felt it would be worth it to spend some time explaining why they're great as well as creating a few guides for how to set them up on the most common services you may be using.

Starting with strong unique passwords

First, a little on password policy in general. Password breaches can happen–if you're re-using the same password all over the place then you should start with looking at a password manager like 1password or lastpass. These allow you to have a single strong password, but then you have a unique password for each website you log into. This means that if one service is breached the rest of your accounts are still safe.

Beyond that, it's still no guarantee that your password won't be breached from some service you're using or that you aren't the result of a phishing attack. A phishing attack is where someone creates some look-a-like experience such as an email plus a website to get you to login, in the credit card world this could be for you to 'login' to verify some charge you did not make as an example.

Enter Two Factor Authentication

Two factor authentication comes in here as the next line of defense. In the case of a phishing attack the attacker then has your password and can login at will. Yes, they may not be able to login to all of your accounts, but if they have your gmail account they could potentially get to others from there with password resets. Two factor authentication requires you to enter a second factor. This second factor could be in a number of forms, from just a second password or pin (this is a bit less common when people refer to it), but is more commonly a physical device or physical device that will generate this unique token for you.

Many major services support two-factor authentication these days and encourage you to enable it perhaps without you even realizing it's 2FA. The most common method of this is setting up your phone for text verification. You can also use apps like Google Authenticator or Authy, which are the new form of an RSA token essentially.

The key part about this latter group of 2FA is that it requires you to have the physical device with you typically. Just because an attacker got your password, they still don't have your phone which receives the text message or has the google authenticator app to allow you into your account.

Yubikeys make everything easier

Image by Yubico
Yubikeys are little devices that plug into your USB port. They offer the same benefit as your phone as they require you to physically touch it to say you’re there. So much like someone would have to steal your phone and your password to make it into an account with 2FA on, they would have to steal your computer (or yubikey specifically) and your password to make it in on one that's using 2FA with a yubikey. In all fairness it's not only Yubikey, it's a more universal U2F protocol, but Yubikey is the largest provider of the devices.

You can pickup any Yubikey that uses U2F and start using it with your Citus account today.

It works on Google, GitHub, more

The best part is it's not just for Citus, it works on all the major services you likely care about security on. Most we talked with were unaware of this and some couldn't even find where to set it up once they were aware. To make this easier we've created guides for the major services to make it clear how to enable it.

In conclusion

Keeping data safe and secure is important. Everyone can appreciate security, but it often comes at the expense of usability and ease, which it shouldn't have to. While a small difference in working process, not having to pull out your phone to keep your accounts secure with 2FA makes good security practices even easier. Given we require 2FA on all Citus Cloud accounts, we're excited to make it an even better UX.

Craig Kerstiens

Written by Craig Kerstiens

Former Head of Cloud at Citus Data. Ran product at Heroku Postgres. Countless conference talks on Postgres & Citus. Loves bbq and football.