Yubico Forum
https://forum.yubico.com/

Yubikey vs Google authenticator - Which one is the best?
https://forum.yubico.com/viewtopic.php?f=4&t=1661
Page 1 of 2

Author:  visibleninja [ Tue Dec 16, 2014 6:02 pm ]
Post subject:  Yubikey vs Google authenticator - Which one is the best?

Hey there!

In your opinion, which is the best solution, Yubikey vs Google Authenticator?


I'm currently using Yubikey but I might start using google authenticator instead.

Author:  DavidW [ Tue Dec 16, 2014 7:13 pm ]
Post subject:  Re: Yubikey vs Google authenticator - Which one is the best?

With Google Authenticator, all your secrets are held on your phone, protected only by the device's encryption (if you enable it) and Android's isolation of application storage from other applications (if not rooted). Anyone getting hold of your unlocked phone can access your credentials.

With the Yubikey, the secrets are held on a specialist security device and cannot be read out at all. If you have an Android device that works with your Yubikey Neo using NFC, it is really no more difficult to use the Yubikey system than Google Authenticator.

Author:  darco [ Tue Dec 16, 2014 7:17 pm ]
Post subject:  Re: Yubikey vs Google authenticator - Which one is the best?

I'm also not sure if the keys in Google Authenticator will be transferred to a new phone when you upgrade. The credentials on the yubikey will be available on any phone which can run the yubico authenticator app.

Author:  dvarapala [ Tue Dec 16, 2014 7:59 pm ]
Post subject:  Re: Yubikey vs Google authenticator - Which one is the best?

darco wrote:
I'm also not sure if the keys in Google Authenticator will be transferred to a new phone when you upgrade.


Worst case, the secret used by the Google Authenticator app can be manually transferred to a new phone if necessary.

Quote:
The credentials on the yubikey will be available on any phone which can run the yubico authenticator app.


Not quite true. My Galaxy Note 3 runs the Yubico Authenticator app but is unable to read either of my NEOs via NFC.

Author:  darco [ Tue Dec 16, 2014 8:00 pm ]
Post subject:  Re: Yubikey vs Google authenticator - Which one is the best?

Ok, fair enough, I am assuming that the device is NFC compatible and works with the ykneo.

Author:  visibleninja [ Tue Dec 16, 2014 8:25 pm ]
Post subject:  Re: Yubikey vs Google authenticator - Which one is the best?

DavidW wrote:
With Google Authenticator, all your secrets are held on your phone, protected only by the device's encryption (if you enable it) and Android's isolation of application storage from other applications (if not rooted). Anyone getting hold of your unlocked phone can access your credentials.

With the Yubikey, the secrets are held on a specialist security device and cannot be read out at all. If you have an Android device that works with your Yubikey Neo using NFC, it is really no more difficult to use the Yubikey system than Google Authenticator.


[My emphasis]

One doesn't need to read the contents of a yubikey. The fact that the OTPs are not time-based makes it easier to "hack" than google-authenticator. All you've to do is get someone's yubikey, mail yourself some OTPs and then use them. Of-course once an OTP is used, all the past OTPs will be useless but still.

I find Google-Authenticator in an encrypted password protected device much more secure than yubikey. I created this thread to be proved otherwise, as I might be starting to think that I made the wrong choice by going with Yubikey.

Thank you all for posting on this thread btw.

Author:  darco [ Tue Dec 16, 2014 9:04 pm ]
Post subject:  Re: Yubikey vs Google authenticator - Which one is the best?

Yubico Authenticator supports both event-based (HOTP) and time-based (TOTP) credentials, as does Google Authenticator, so this isn't really a differentiator as long as you have a good password on your YubiOATH app.

Author:  DavidW [ Wed Dec 17, 2014 1:28 am ]
Post subject:  Re: Yubikey vs Google authenticator - Which one is the best?

darco wrote:
Yubico Authenticator supports both event-based (HOTP) and time-based (TOTP) credentials, as does Google Authenticator, so this isn't really a differentiator as long as you have a good password on your YubiOATH app.


Adding to darco's answer, the majority of services online use TOTP, so you cannot generate OTPs in advance unless you have access to the secret and know the time you want the OTP for (typically a 30 second window, with the server making some allowance for entry time and clock skew).

I have credentials for Google, Microsoft, Dropbox, Facebook, Tumblr and github on my Yubikey Neo. All are TOTP credentials.


The only event-based credentials I have are those I use with the Yubikey's 'touch button' capabilities: Yubico OTP (which I don't use much) and Symantec VIP (which I use with PayPal). I also have event based hardware OTP setups from two UK banks - HSBC uses a self-contained PIN protected token and Nationwide use a small device that works with the Chip Authentication Program feature on their cards.

Author:  DavidW [ Wed Dec 17, 2014 1:42 am ]
Post subject:  Re: Yubikey vs Google authenticator - Which one is the best?

dvarapala wrote:
My Galaxy Note 3 runs the Yubico Authenticator app but is unable to read either of my NEOs via NFC.


My Galaxy Note 3 works fine with my Neo, though I'm running a different country version to you and therefore different firmware (mine is BTU - United Kingdom unbranded). I will undoubtedly have different apps loaded to you. It's possible you have an app that is interfering with Yubico Authenticator and/or Yubiclip's use of NFC.


I'm therefore able to generate OTPs using the Authenticator app on my phone over NFC, or by using the Authenticator app on my laptop with the Neo in a USB slot.

Author:  Tom2 [ Wed Dec 17, 2014 1:16 pm ]
Post subject:  Re: Yubikey vs Google authenticator - Which one is the best?

My take on this question is the following:

Google Authenticator is a piece of software that uses well know algorithms to generate on screen displayed codes (smartphones, tablets, pc).
In this scenario you have to trust your phone's hard-drive (tablet, pc, etc..) to store the secrets. These devices are often Internet connected.

The Yubikey stores the secrets into the secure element. It is not an Internet connected device. The same well known algorithms are later on used to spit out the codes exactly as the Google Authenticator does onto the smartphone, tablets etc. However the secrets never leave the Yubike's secure element

The Yubikey applet can be password protected.
The Google Authenticator doesn't (on iOS, however it could be easily added ), it just prevents the average Joe to pick up the phone, start the App and steal couple of codes.

The real question here is 'do you trust storing secrets on the "designed storage" for your device app or you rather store them onto an offline device's secure element?'

What do you think? I am happy to see great conversations about security coming up on this community!

Page 1 of 2 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/