This isn't an endorsement of Yubico (nor a put-down) - but they're the market leader with the most options and I need to understand what constitutes a second factor (that part's not too difficult) and when they're a good idea (that part's difficult).
A quick mention of Google Authenticator as perhaps the best known implementation of TOTP (definitions below, you'll need them). It runs on your phone and provides a six to eight digit number that can be entered as second factor authentication to websites. Apparently it also does HOTP, although perhaps only for Google's own applications.
Back around January I purchased two U2F keys, one from Fido and one from HyperSecu. These are relatively cheap at about $20 each. They're meant as a second factor identification to websites. Sounds like a great plan, but they're not quite as "universal" as the name would like to suggest. As of 2017-07, U2F is fully supported in Chrome and Opera, but not supported in Edge or Firefox (although both claim to be working on it). With Firefox, U2F is supported by a plugin (although a comment on the page suggests it doesn't work with the latest Firefox, and further reading suggests it may be asking for too many permissions). And of course this is only going to work if any given website has gone to the trouble of implementing U2F login.
I thought "I have these keys, why don't I use them as a second factor for login to my computer?" As it turns out, the "universal" in the title is again misleading: it means "universal ONLY for websites." It appears that U2F can be made to work as a login factor for a computer, but there's a really significant problem: it requires access to an online server (Yubico's key server). And if you want to log in to your computer when you're offline? Nope.
So what are the other options? Well ... Yubico offers several USB-based keys to assist you with not only U2F, but also OATH - HOTP, OATH - TOTP, secure static passwords, their own OTP system, OpenPGP, PIV-Compliant Smart Card, and "Secure Element" (whatever that means). This discussion is now officially about standards, and what that means is there will be a staggering number of acronyms and a very large and painful body of reading to be done.
I initially meant for this blog entry to be considerably longer, but looking at what I'd have to define - and how unsure I am of the details - I'm going to call this a good start and tackle the protocols in separate blog entries (if at all).
- 2FA = Two Factor Authentication
- HMAC = Hash-based Message Authentication Code
- HOTP = HMAC-based One-time Password - open standard supported by the IETF
- IETF = Internet Engineering Task Force - open standards body that develops voluntary Internet standards (particularly but not exclusively related to TCP/IP)
- OATH = Initiative For Open Authentication (not to be confused with OAuth, an open standard for "secure delegated access" - ie. quite similar to all this mess)
- OTP - one-time password
- PIV - Personal Identity Verification per FIPS 201
- TOTP = Time-based One-time Password - supported by IETF and OATH
- U2F = Universal 2nd Factor - open authentication standard initially proposed by FIDO
- Comparison of Yubico's available key types: https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/
- Yubico's overview of how the U2F protocol works: https://developers.yubico.com/U2F/Protocol_details/Overview.html