Tails

#2 Updated by sonicsnail 2017-03-28 05:52:38

intrigeri wrote:
> Any specific reason why https://tails.boum.org/doc/first_steps/persistence/configure/index.en.html#additional_software is not suitable for this?

I can think of a bunch of reasons:

• Tails should come with a two-factor auth solution built-in for the same reasons it comes with a password manager built-in: to encourage better security practises in users. It’s up to users to actually use the apps, but if they do they’ll be safer. More people should be using two-factor auth and we should be encouringing it. The implementation of Yubico Authenticator is solid due to the fact that it stores secrets non-readable in the Yubikey’s TPM.
• FIDO U2F authentication isn’t possible in Tails or Tor Browser right now, and it probably won’t be for a long time — see issue Bug #11565. Yubico Authenticator is the next best thing for securely doing two-factor auth.
• Personally, I want to use Yubico Authenticator in Tails but I’m reluctant to enable persistence features on a platform that’s meant to be amnesic. I want to use the app without having to unlock the persistent volume. I know there are others who have a similar attitude about persistence.
• There is an “audience” for it. There are Tails users who already have Yubikeys and who therefore might find this app useful, even if they aren’t aware of it yet. We just need to put the app in front of them. Additionally, Tails users might be more interested in starting to use Yubikeys now that the PGP smart card feature will finally work out of the box in Tails 3.0 (see issue Bug #11565).

#3 Updated by intrigeri 2017-03-28 10:00:15

Hi!

>> Any specific reason why https://tails.boum.org/doc/first_steps/persistence/configure/index.en.html#additional_software is not suitable for this?

> I can think of a bunch of reasons:

Thanks! I’d like to gather some more info before we can discuss this collectively.

> * Tails should come with a two-factor auth solution built-in for the same reasons it comes with a password manager built-in: to encourage better security practises in users. It’s up to users to actually use the apps, but if they do they’ll be safer. More people should be using two-factor auth and we should be encouringing it.

OK, then my next questions are:

• What other hardware + software solutions out there satisfy the same need?
• Do this other solutions require vendor-specific software to use them?
• Why should we support this specific hardware+software combination, and not one of the other options?

My underlying concern is that this landscape might be fragmented enough that, to “encourage better security practises in users”, we end up adding similar software to support 2-5 other 2FA solutions in our ISO image. If this is how the landscape looks like, i.e. it is similar to IM and crypto-currencies, then IMO we need to either ship none (and rely on Additional Software Packages), or choose a single one carefully (and then someone needs to help us choose).

> * Personally, I want to use Yubico Authenticator in Tails but I’m reluctant to enable persistence features on a platform that’s meant to be amnesic. I want to use the app without having to unlock the persistent volume. I know there are others who have a similar attitude about persistence.

I see, and I understand the feeling. However, this argument works for any additional package one requests to be included in Tails by default, so we do have to take it with a grain of salt whenever there’s the software in question doesn’t actually need to be installed by default to work fine. (There are exceptions to this rule, e.g. software that’s particularly relevant in air-gapped setups, which is not the case here.) Also note that some important upcoming security improvements (PRNG seed, Tor entry guards) will require persistence, so one should expect that using (limited) persistence becomes more and more the recommended way of using Tails.

> * There is an “audience” for it. There are Tails users who already have Yubikeys and who therefore might find this app useful, even if they aren’t aware of it yet.

FWIW, https://qa.debian.org/popcon.php?package=yubioath-desktop knows about 71 installations of the package on Debian. That’s a lot for a highly-specialized tool such as this one, and OTOH that’s very little compared to the size of the Tails userbase (i.e. the people who will be affected negatively by the growth of the ISO and upgrades).

#4 Updated by sonicsnail 2017-03-29 10:43:59

intrigeri wrote:
> What other hardware + software solutions out there satisfy the same need?

I found a few other tools for generating 2FA codes on linux systems, but I have to say there aren’t many options:

• OATH Toolkit is a CLI client that’s in Debian. It’s software-only and doesn’t store secrets. You run it like this `$ oathtool −−base32 −−totp “gr6d 5br7 25s6 vnck v4vl hlao re”`, where “gr6d…” is the secret key. http://www.nongnu.org/oath-toolkit/
• There are a few CLI clients on GitHub like https://github.com/tadeck/onetimepass or https://github.com/w8rbt/oathgen or https://github.com/hobarrera/totp-cli. They are all software-only.

The most common way of doing 2FA is with apps like Google Authenticator or FreeOTP that operate on smartphones independently of Tails.

I couldn’t find any other software similar to Yubico Authenticator that integrates with hardware from other vendors. Hardware from Yubico’s competitor, Trezor, only does FIDO U2F and has no similar TOTP/HOTP features.

> Do this other solutions require vendor-specific software to use them?

No, the alternative solutions above aren’t vendor specific. By “vendor-specific” you mean how Yubico Authenticator only works with Yubico’s own hardware products.

> Why should we support this specific hardware+software combination, and not one of the other options?

The other CLI solutions are software-only and involve storing the TOTP/HOTP secret keys on disk. Having secret keys on disk isn’t exactly following the concept of “something you have” as a second factor because the secrets are stored in the same way as passwords, which are “something you know”. Some of these programs don’t even encrypt their databases of 2FA keys. In the case of OATH Toolkit, the app practically encourages users to copy/paste secret keys into the terminal, which is bad practise because now the keys are in the clipboard and are more likely to be accidentally pasted into unsafe places. Also, the lack of GUIs is a turnoff for a lot of users.

Smartphone apps like Google Authenticator and FreeOTP are relatively good. They operate on hardware/software that’s isolated from Tails and they don’t allow users to access the secret keys again after initial input. But smartphones are a financial investment for some users and they can still be pwned. Smartphones get pwned more easly than Tails. The apps are ultimately still software-only and store secret keys on the phone’s disk.

Yubico Authenticator is unique and there are no other similar or competing apps from other vendors. It has a straightforward GUI, secret keys are inaccessible in the hardware TPM, it’s very much “something you have” as a 2nd factor, and Yubikeys are relatively inexpensive compared to smartphones. From a security standpoint, Yubikeys are the safest place for storing TOTP/HOTP secret keys because the keys can’t be extracted. While the app is vendor-specific, Yubico’s product is a very solid solution for TOTP/HOTP 2FA.

> My underlying concern is that this landscape might be fragmented enough that, to “encourage better security practises in users”, we end up adding similar software to support 2-5 other 2FA solutions in our ISO image. If this is how the landscape looks like, i.e. it is similar to IM and crypto-currencies, then IMO we need to either ship none (and rely on Additional Software Packages), or choose a single one carefully (and then someone needs to help us choose).

I wouldn’t call the landscape fragmented because there isn’t much of a landscape at all. Mobile is a different story, but there aren’t many 2FA apps for linux desktop. There’s a shit show of CLI apps and then there’s Yubico Authenticator. I’d suggest shipping either nothing or Yubico Authenticator.

> FWIW, https://qa.debian.org/popcon.php?package=yubioath-desktop knows about 71 installations of the package on Debian. That’s a lot for a highly-specialized tool such as this one, and OTOH that’s very little compared to the size of the Tails userbase (i.e. the people who will be affected negatively by the growth of the ISO and upgrades).

Yubico primarily distributes the app as a tarball download from their site at https://www.yubico.com/support/knowledge-base/categories/articles/yubico-authenticator-download/. It doesn’t say anything about the Debian package. So the Debian site probably isn’t recording all the installs.

This is a cross-platform app. On https://play.google.com/store/apps/details?id=com.yubico.yubioath&hl=en it has “10,000-50,000” installs.

#5 Updated by intrigeri 2017-04-01 08:30:30

Thanks for all your answers! I think we now have all the info we need to make a decision, so I’ve added this topic to the agenda of our next monthly meeting :)

> There’s a shit show of CLI apps and then there’s Yubico Authenticator. I’d suggest shipping either nothing or Yubico Authenticator.

OK, got it. I agree.

>> FWIW, https://qa.debian.org/popcon.php?package=yubioath-desktop knows about 71 installations of the package on Debian. That’s a lot for a highly-specialized tool such as this one, and OTOH that’s very little compared to the size of the Tails userbase (i.e. the people who will be affected negatively by the growth of the ISO and upgrades).

> Yubico primarily distributes the app as a tarball download from their site at https://www.yubico.com/support/knowledge-base/categories/articles/yubico-authenticator-download/. It doesn’t say anything about the Debian package. So the Debian site probably isn’t recording all the installs.

I agree that Debian isn’t recording all the installs: in particular, one can disable popcon. Still, I’m pretty sure that installing software from 3rd-party websites is waaaay less common among Debian users (especially when said software is available in Debian) than on operating systems that lack good package management: installing software this way is much harder (the Linux download you link to points to the source tarball, and then one needs to compile and install manually), and skilled + security conscious people, who are likely to be the ones using such software, are generally aware of the advantages of package managers (e.g. security upgrades coming for free). So IMO the amount of people installing from source is negligible vs. the total number of Debian users of Yubico Authenticator, and thus the popcon number is useful as a way to compare the popularity of one piece of software vs. another one, among Debian users. FWIW tails-installer has 480 registered installs, OnionShare has 91, mat has 337, and seahorse-nautilus has 633. All these are relatively niche software.

#8 Updated by Anonymous 2017-06-27 09:09:15

As the two latest meetings did not take place, this ticket is still on our agenda for the July meeting.

#9 Updated by Anonymous 2017-06-27 10:22:28

just fyi. while the software in Debian is Free Software, the Yubikey itself has closed source models, see https://en.wikipedia.org/wiki/YubiKey#Security-concerns_YubiKey_4_.28closed-source_code.29