2-Factor Authentication with Security Keys – now available for Boxcryptor
Boxcryptor has been offering 2-factor authentication (2FA) for a longer period of time, to help you protect your Boxcryptor account better. Until now, to use 2FA, you needed a second device (such as a smartphone) with an authenticator app. Now you have the opportunity to prove your identity via your USB port and without a second device running an app, but with a hardware factor. Boxcryptor is now ready to use security keys, such as YubiKeys.
In this article we explain how Boxcryptor uses 2FA and security keys to better protect your account and how you can set up the configuration for the extra layer of security for your Boxcryptor account.
2-Factor Authentication – what is it and how does it work?
2-Factor Authentication provides additional security to prevent identity theft requiring two independent factors being provided (at log-in) for verification of one’s identity. Both factors have to be correct for the authentication to be successful. If one of these factors is missing or incorrect, the identity cannot be verified. This usually means that the desired service will not be available.
A widely used technology, related to 2FA, the 2-step verification (2SV) is commonly used in online banking applications: To transfer money via the online portal of a bank does not only require access to the online banking account, but the legality of the transfer order has to be reaffirmed by entering an additional password (TAN) often generated by a separate app or device. Unlike 2SV in online banking, 2FA requires the factors to be independent from each other and of different kind.
So-called "phishing" attacks allow scammers to gain access to the log-in data (i.e. user name and password) of a person relatively easy by tricking users into authentication with username and password (sign-in) on fake websites. Hence, the main task and the biggest advantage of two-factor authentication is the protection of the proof of identity by a second, physically independent authentication factor. However, the increased security in the login process is at the expense of the convenience of the same, since the log-in process requires an additional step. Furthermore, a loss or damage of the second authentication factor can cause non-availability of a service or follow-up costs (replacement of the second factor).
2FA implementation at Boxcryptor
Boxcryptor uses the WebAuthN standard for 2FA with security keys. If a security key is registered in a Boxcryptor account, the security key internally creates a new, asymmetrical pair of keys. The private key is managed solely by the security key, e.g. in that he is assigned to a Boxcryptor account and stored on the security key itself. The public key is forwarded to the Boxcryptor server.
If the user then successfully authenticates with his username and password, the Boxcryptor server sends a so-called "challenge", a random series of bytes, to the client. This challenge is remembered by the server. The client passes a fingerprint of this challenge to the security key. The security key now waits for a confirmation by the user - which shows, depending on the security key used, e.g. in that the confirmation key of the security key flashes. The user needs to give the security key a confirmation, e.g. pressing a confirmation button on the security key.
This prevents an authentication from being granted without the explicit consent of the user. The security key then signs the challenge's fingerprint with the private key stored specifically for Boxcryptor, and this signed fingerprint is sent back to the server. The latter now uses the public key to test whether the fingerprint originates from the registered security key and whether the fingerprint matches the challenge the server remembered. If so, then the client has proven that its user owns the registered security key and the user is successfully logged in.
Boxcryptor will ask you to authenticate by activating your security key when you log-in to your Boxcryptor account.
In addition to this basic functionality, Boxcryptor protects your account with other, more complex techniques against attacks, e.g. the challenges are only valid to a limited extent and a "usage counter" is compared with the security key. As a result, even a copied security key (as difficult as it should physically be to copy) could be detected with a high probability.
2FA using security keys
Basically, Boxcryptor supports all security keys, as a second authentication factor, as long as this key supports the WebAuthN standard. WebAuthN is a project of the World Wide Web Consortium, a body for defining standards of technology on the World Wide Web. WebAuthN is intended to streamline and standardize authentication in the Internet. These efforts are also being supported by the FIDO Alliance - a consortium of a large number of major companies in the digital industry (e.g. Google, Alibaba Group, Amazon, Microsoft, Nok Nok Labs and several others ). Unlike its predecessor U2F (a proprietary standard from Yubico and Google), WebAuthN is not a proprietary standard and is therefore supported by a significantly larger number of browsers. Since WebAuthN is backwards compatible with U2F, all U2F-compliant security keys can also be used for 2FA with Boxcryptor.
Boxcryptor supports the WebAuthN standard and therefore, can be used with all WebAuthN-capable keys on (almost) all browsers with 2FA – Initially, Chrome, Firefox, Opera and Edge are supported. Apple has not yet fully implemented WebAuthN in Safari, but is already working on it. The latest versions of the Boxcryptor desktop apps for Windows and macOS support 2FA via WebAuthN and thereby all security keys with FIDO 2.0 support, as second authentication factor. While the availability of this feature for Boxcryptor on Android is scheduled for early 2019, iOS users have to be patient until Apple has implemented the new standard in iOS.
A very well-known security key vendor is Yubico. Their security key product is called YubiKey and is presented in the following to exemplify the use of a security key.
YubiKey – What is it and how does it work?
YubiKey is a hardware-based, physical second authentication factor. A YubiKey looks like a standard USB stick, but does not store any data, but is functioning as a factor in the proof of identity. The Yubico company has been offering the YubiKey for making two-factor authentication significantly safer and somewhat simpler.
It is a simple principle: The YubiKey’s function is to be the second necessary factor for authentication and it is connected to the computer via the USB port, just like a regular USB flash drive. Only when the YubiKey is connected to the computer and authentication has been authorized by the user via a button on the YubiKey can the authentication be completed successfully. Certain YubiKey models are also capable of authentication via an NFC connection, which might be particularly useful on mobile devices. Furthermore, may the new YubiKey 5 generation keys with USB-C be used together with current mobile devices with a USB-C connection - the YubiKey is simply connected to the mobile device via USB - just like on a (desktop) computer.
Worries concerning the transmission of malware by the YubiKey are unjustified because, except for the data provided and required for WebAuthN, there is no exchange of data with the computer. YubiKey support is given in all common operating systems and the hardware of the YubiKey is protected against damage through shocks and water.
A disadvantage of this solution that should by no means be neglected however, is that authentication is not possible if you do not carry your YubiKey with you. We recommend to consider this aspect when choosing your second factor (for 2FA).
Get access even if the “second factor” is lost.
However, a disadvantage of this solution for 2FA that should not be neglected is that authentication is not possible, if one does not have one's security key at hand. We recommend considering this aspect when choosing the second factor (for 2FA). In this regard, we also strongly recommend as a "best practice" to, from the very beginning, set up 2 security keys for a Boxcryptor account, in order not to "completely" exclude yourself from the account in the event of loss of a key.
Additionally, you have the option to set up backup codes (one-time codes) that you can fall back on if you lose your Security Key or the mobile phone with the authentication app is no longer available. We recommend downloading the backup codes and keeping them safe. In order to benefit from the backup codes, you need to have the codes available when you are logged out.
You can obtain the backup codes as follows:
- Sign in to boxcryptor.com.
- Navigate to Security.
- Click on Two-factor Authentication -> Security Keys.
- Select Add Security Key and follow the instructions on the screen.
- Download the codes and put them in a safe place.
Activate 2FA with Security Key in Boxcryptor
Setting up a security key for Boxcryptor is easy: Log in to the Boxcryptor Web App and navigate to the menu item "Security" -> "Security Keys". Here you can manage your security keys. To add a new security key, select "Add Security Key" and follow the instructions on the screen.
To add security keys, select the menu item "Security in your Boxcryptor Web App.
The Web App will guide you through the setup of your security key.
You will see this message once you completed the setup of your security key successfully.
