Yubico Forum

Re: Yubikey vs Google authenticator - Which one is the best?

2014-12-18T08:40:00+01:00

I just wanted to add a third advantage of Yubico Authenticator over Google Authenticator (and Authenticator Plus): It's open source.

Statistics: Posted by henrik — Thu Dec 18, 2014 8:40 am

Re: Yubikey vs Google authenticator - Which one is the best?

2014-12-17T17:22:35+01:00

dvarapala wrote:

darco wrote:

I'm also not sure if the keys in Google Authenticator will be transferred to a new phone when you upgrade.

Worst case, the secret used by the Google Authenticator app can be manually transferred to a new phone if necessary.

You cannot read the secrets out of Google Authenticator unless the phone is rooted or you somehow gain direct access to the device's memory. If you change device and don't have copies of the secrets (e.g. hard copies of the QR codes), the easiest thing is to disable and re-enable two factor authentication on each of your accounts.

If you want to transfer secrets between devices and hold them more securely on your device, try the Authenticator Plus app . The companion Authenticator Plus Import app that reads your credentials from Google Authenticator only works on rooted devices, and serves as proof of concept as to the security issues of storing credentials on a rooted device. I don't root my Android devices.

The best approach for me is to store all secrets that I use actively in a secure element (my Neo), with offline copies kept under multiple levels of encryption. I don't have my digital certificates, my OTP credentials or my PGP key and its subkeys stored on any device in a readily usable format.

Statistics: Posted by DavidW — Wed Dec 17, 2014 5:22 pm

Re: Yubikey vs Google authenticator - Which one is the best?

2014-12-17T13:16:21+01:00

My take on this question is the following:

Google Authenticator is a piece of software that uses well know algorithms to generate on screen displayed codes (smartphones, tablets, pc).
In this scenario you have to trust your phone's hard-drive (tablet, pc, etc..) to store the secrets. These devices are often Internet connected.

The Yubikey stores the secrets into the secure element. It is not an Internet connected device. The same well known algorithms are later on used to spit out the codes exactly as the Google Authenticator does onto the smartphone, tablets etc. However the secrets never leave the Yubike's secure element

The Yubikey applet can be password protected.
The Google Authenticator doesn't (on iOS, however it could be easily added ), it just prevents the average Joe to pick up the phone, start the App and steal couple of codes.

The real question here is 'do you trust storing secrets on the "designed storage" for your device app or you rather store them onto an offline device's secure element?'

What do you think? I am happy to see great conversations about security coming up on this community!

Statistics: Posted by Tom2 — Wed Dec 17, 2014 1:16 pm

Re: Yubikey vs Google authenticator - Which one is the best?

2014-12-17T01:42:39+01:00

dvarapala wrote:

My Galaxy Note 3 runs the Yubico Authenticator app but is unable to read either of my NEOs via NFC.

My Galaxy Note 3 works fine with my Neo, though I'm running a different country version to you and therefore different firmware (mine is BTU - United Kingdom unbranded). I will undoubtedly have different apps loaded to you. It's possible you have an app that is interfering with Yubico Authenticator and/or Yubiclip's use of NFC.

I'm therefore able to generate OTPs using the Authenticator app on my phone over NFC, or by using the Authenticator app on my laptop with the Neo in a USB slot.

Statistics: Posted by DavidW — Wed Dec 17, 2014 1:42 am

Re: Yubikey vs Google authenticator - Which one is the best?

2014-12-17T01:28:22+01:00

darco wrote:

Yubico Authenticator supports both event-based (HOTP) and time-based (TOTP) credentials, as does Google Authenticator, so this isn't really a differentiator as long as you have a good password on your YubiOATH app.

Adding to darco's answer, the majority of services online use TOTP, so you cannot generate OTPs in advance unless you have access to the secret and know the time you want the OTP for (typically a 30 second window, with the server making some allowance for entry time and clock skew).

I have credentials for Google, Microsoft, Dropbox, Facebook, Tumblr and github on my Yubikey Neo. All are TOTP credentials.

The only event-based credentials I have are those I use with the Yubikey's 'touch button' capabilities: Yubico OTP (which I don't use much) and Symantec VIP (which I use with PayPal). I also have event based hardware OTP setups from two UK banks - HSBC uses a self-contained PIN protected token and Nationwide use a small device that works with the Chip Authentication Program feature on their cards.

Statistics: Posted by DavidW — Wed Dec 17, 2014 1:28 am

Re: Yubikey vs Google authenticator - Which one is the best?

2014-12-16T21:04:18+01:00

Statistics: Posted by darco — Tue Dec 16, 2014 9:04 pm

Re: Yubikey vs Google authenticator - Which one is the best?

2014-12-16T20:25:55+01:00

DavidW wrote:

With Google Authenticator, all your secrets are held on your phone, protected only by the device's encryption (if you enable it) and Android's isolation of application storage from other applications (if not rooted). Anyone getting hold of your unlocked phone can access your credentials.

With the Yubikey, the secrets are held on a specialist security device and cannot be read out at all. If you have an Android device that works with your Yubikey Neo using NFC, it is really no more difficult to use the Yubikey system than Google Authenticator.

[My emphasis]

One doesn't need to read the contents of a yubikey. The fact that the OTPs are not time-based makes it easier to "hack" than google-authenticator. All you've to do is get someone's yubikey, mail yourself some OTPs and then use them. Of-course once an OTP is used, all the past OTPs will be useless but still.

I find Google-Authenticator in an encrypted password protected device much more secure than yubikey. I created this thread to be proved otherwise, as I might be starting to think that I made the wrong choice by going with Yubikey.

Thank you all for posting on this thread btw.

Statistics: Posted by visibleninja — Tue Dec 16, 2014 8:25 pm

Re: Yubikey vs Google authenticator - Which one is the best?

2014-12-16T20:00:46+01:00

Ok, fair enough, I am assuming that the device is NFC compatible and works with the ykneo.

Statistics: Posted by darco — Tue Dec 16, 2014 8:00 pm

Re: Yubikey vs Google authenticator - Which one is the best?

2014-12-16T19:59:12+01:00

darco wrote:

I'm also not sure if the keys in Google Authenticator will be transferred to a new phone when you upgrade.

Worst case, the secret used by the Google Authenticator app can be manually transferred to a new phone if necessary.

Quote:

The credentials on the yubikey will be available on any phone which can run the yubico authenticator app.

Not quite true. My Galaxy Note 3 runs the Yubico Authenticator app but is unable to read either of my NEOs via NFC.

Statistics: Posted by dvarapala — Tue Dec 16, 2014 7:59 pm

Re: Yubikey vs Google authenticator - Which one is the best?

2014-12-16T19:17:21+01:00

I'm also not sure if the keys in Google Authenticator will be transferred to a new phone when you upgrade. The credentials on the yubikey will be available on any phone which can run the yubico authenticator app.

Statistics: Posted by darco — Tue Dec 16, 2014 7:17 pm

Re: Yubikey vs Google authenticator - Which one is the best?

2014-12-16T19:13:13+01:00

With Google Authenticator, all your secrets are held on your phone, protected only by the device's encryption (if you enable it) and Android's isolation of application storage from other applications (if not rooted). Anyone getting hold of your unlocked phone can access your credentials.

With the Yubikey, the secrets are held on a specialist security device and cannot be read out at all. If you have an Android device that works with your Yubikey Neo using NFC, it is really no more difficult to use the Yubikey system than Google Authenticator.

Statistics: Posted by DavidW — Tue Dec 16, 2014 7:13 pm

Yubikey vs Google authenticator - Which one is the best?

2014-12-16T18:02:18+01:00

Hey there!

In your opinion, which is the best solution, Yubikey vs Google Authenticator?

I'm currently using Yubikey but I might start using google authenticator instead.

Statistics: Posted by visibleninja — Tue Dec 16, 2014 6:02 pm