State of U2F in December 2020

NOTE: This is an updated version of my original article: “State of U2F in May 2019” (18 months ago)

I am attempting to register physical USB keys with various online accounts in an attempt to improve my online security.

I purchased multiple YubiKey keys (YubiKey 5C and YubiKey 5C Nano) with the intent to register at least two keys with each of my supported online accounts so that I have a backup in case my primary key is lost or stolen. I have access to additional YubiKey keys for testing, so I will attempt to register at least 3 keys with each service.

Before you begin, consider using YubiKey manager to disable all interfaces except “FIDO U2F” and “FIDO2” on each key. I manually labeled each of my keys as “U2F NNNN”, though it is unclear which sites are using older FIDO1 (FIDO U2F) and which sites are using newer FIDO2. The “OTP” interface is similar to Google Authenticator [1] and could leak your identity [2]. Disabling OTP will prevent YubiKey from typing a string every time you tap the YubiKey button. Only enable the interfaces you intend to use.

Here is a summary of my experience with each online provider. Each browser test was performed on macOS 11.1 (Big Sur) on Apple Silicon M1 with latest version of Brave (1.2.40 88.0.4315.5), Firefox (84.0), and Safari (14.0.2) 64-bit browsers. I am able to register keys to my accounts and authenticate to my accounts using Brave, Firefox, and Safari. All 3 browsers appear to have built-in support for “WebAuthn” and/or “U2F”.

Google (Apps, Cloud)

Key Limit: Multiple (6+) — Successfully registered 6 different U2F keys
Supported Browsers:
• Brave (1.2.40 88.0.4315.5) on macOS 11.1 (Big Sur) – M1 Intel/Rosetta 2
• Firefox (84.0) on macOS 11.1 (Big Sur) – M1 Universal App
• Safari (14.0.2) on macOS 11.1 (Big Sur) – M1 Universal App

GitHub

Key Limit: Multiple (6+) — Successfully registered 6 different U2F keys
Supported Browsers:
• Brave (1.2.40 88.0.4315.5) on macOS 11.1 (Big Sur) – M1 Intel/Rosetta 2
• Firefox (84.0) on macOS 11.1 (Big Sur) – M1 Universal App
• Safari (14.0.2) on macOS 11.1 (Big Sur) – M1 Universal App

Facebook

Key Limit: Multiple (6+) — Successfully registered 6 different U2F keys
Supported Browsers:
• Brave (1.2.40 88.0.4315.5) on macOS 11.1 (Big Sur) – M1 Intel/Rosetta 2
• Firefox (84.0) on macOS 11.1 (Big Sur) – M1 Universal App
Unsupported Browser:
• Safari (14.0.2) on macOS 11.1 (Big Sur) – M1 Universal App (fallback to OTP authenticator code)

WordPress (via Plugin)

Key Limit: Multiple (6+) — Successfully registered 6 different U2F keys
Supported Browsers:
• Brave (1.2.40 88.0.4315.5) on macOS 11.1 (Big Sur) – M1 Intel/Rosetta 2
• Firefox (84.0) on macOS 11.1 (Big Sur) – M1 Universal App
• Safari (14.0.2) on macOS 11.1 (Big Sur) – M1 Universal App

NameCheap

Key Limit: Multiple (6+) — Successfully registered 6 different U2F keys
Supported Browsers:
• Brave (1.2.40 88.0.4315.5) on macOS 11.1 (Big Sur) – M1 Intel/Rosetta 2
• Firefox (84.0) on macOS 11.1 (Big Sur) – M1 Universal App
• Safari (14.0.2) on macOS 11.1 (Big Sur) – M1 Universal App

Amazon Web Services (AWS)

Key Limit: ONE (1) — Simple On/Off toggle for 2FA. Must choose either OTP or U2F. Cannot enable both simultaneously. Unable to Register Multiple U2F Keys [3]
Supported Browsers:
• Brave (1.2.40 88.0.4315.5) on macOS 11.1 (Big Sur) – M1 Intel/Rosetta 2
• Firefox (84.0) on macOS 11.1 (Big Sur) – M1 Universal App
Unsupported Browsers:
• Safari (14.0.2) on macOS 11.1 (Big Sur) – M1 Universal App

Twitter

Key Limit: ONE (1) — Simple On/Off toggle for U2F. Unable to Register Multiple U2F Keys. Can enable OTP and U2F simultaneously.
Supported Browsers:
• Brave (1.2.40 88.0.4315.5) on macOS 11.1 (Big Sur) – M1 Intel/Rosetta 2
• Firefox (84.0) on macOS 11.1 (Big Sur) – M1 Universal App
• Safari (14.0.2) on macOS 11.1 (Big Sur) – M1 Universal App

No Support for U2F or FIDO2

LinkedIn – The only supported verification methods are SMS and OTP (Authenticator App) as of 12/2020
MailChimp – The only supported verification methods are SMS and OTP (Authenticator App) as of 12/2020
Slack – The only supported verification methods are SMS and OTP (Authenticator App) as of 12/2020. More Info

References

[1] Medium: The Unofficial FIDO U2F FAQ
[2] Hacker Noon: Avoid Leaking Your Identity with YubiKey
[3] AWS: Use YubiKey security key to sign into AWS Management Console with YubiKey for multi-factor authentication (comments confirm only one U2F device is supported per login)

AWS CodeBuild Failed due to Docker pull rate limit. Solution: Update buildspec.yml file.

At Logic Forte, our CI/CD pipelines typically use AWS CodeBuild to pull Git repositories and build/test/deploy Docker images. Our typical build will pull a public image from Docker Hub, build a custom image, and then save our custom image to a private repo on ECR for testing/deployment.

Docker has been notifying users that they would begin rate limiting public image requests in November 2020. The new limits of 100 pulls per hour may seem like it would not affect your occasional builds, especially if you deploy from a private repo like ECR.

Nearly all of our image pulls use our private repo when we deploy and when we scale up/down. We might build 5-10 times per day, which is far below the new 100 pulls per hour limit. However, if you use a cloud service (such as CodeBuild) to build your Docker images, this new rate limiting will likely affect you since the cloud build service will likely exceed Docker’s new rate limit thresholds. The service is building images for thousands of other customers, so Docker seems thousands of pull requests coming from the build service and they no idea who the requests belong to.

Problem

Our CodePipeline failed immediately after Docker began enforcing the new rate limits. Specifically, our CodeBuild job failed with the following errors:

Building the Docker image...

[Container] 2020/11/04 18:19:25 Running command docker build -t $REPOSITORY_URI:$IMAGE_TAG .
Sending build context to Docker daemon  6.797MB
Step 1/17 : FROM php:7.3-apache
toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

[Container] 2020/11/04 18:19:26 Command did not exit successfully docker build -t $REPOSITORY_URI:$IMAGE_TAG . exit status 1
[Container] 2020/11/04 18:19:26 Phase complete: BUILD State: FAILED

Solution

Fortunately, the solution to the “toomanyrequests: You have reached your pull rate limit” error was simple and straightforward.

  1. Create account at Docker.com. We created a new FREE individual account at Docker.com just for authenticating pull requests.
  2. Create a new Access Token in your Docker account under Account Settings then Security. We named our access token “AWS CodePipeline”.
  3. Update your project buildspec.yml file used by CodeBuild so that it authenticates to Docker prior to building images. We added the following 3 lines to our build spec, immediately before our “docker build” command. Substitute “mybucket”, “mypath”, and “myusername” with valid values for your environment.
aws s3 cp s3://mybucket/mypath/.docker.key .docker.key
docker login -u myusername --password-stdin < .docker.key
rm .docker.key

To be clear, we placed our Docker Access Token in a file named “.docker.key” and uploaded the “.docker.key” file to a restricted S3 bucket. Our build process is already reading other files from the S3 bucket, so adding this file to the mix was easy. If your CodeBuild job is not already interacting with S3, you will need to setup IAM permissions to allow CodeBuild to read from a bucket. An alternate solution would be to store your Access Token in AWS Secrets Manager and retrieve the secret token during the build process.

Need a quick fix? You could temporarily use the following single line solution in your Build Spec file (instead of the 3 lines we are using above) to test and ensure that authenticating to Docker resolves your build errors.

docker login -u myusername -p myaccesstoken

Be aware that storing your Access Token in your Build Spec file is not considered best practice, since your access token would end up being committed to a shared code repository. If you test with this one-liner, be sure to remove the access token from your Docker account after you are done testing!

Please reply below if you found this helpful. It is always nice to hear that these posts are helping others. 🙂

AWS Lambda Function that Automatically Updates Security Groups using AWS ip-ranges.json file

We heavily restrict outbound traffic for all of our EC2 instances. This is straightforward most of the time, but can be frustrating when you want to allow access to AWS services.

AWS offers VPC endpoints for some services, such as S3, that allow us to make the AWS service available in our VPC without having to allow outbound HTTPS access to the entire internet.

However, what do you do when you want to use a service that does NOT offer a VPC endpoint? For example, we need to allow HTTPS to SQS and we need to allow SUBMISSION (587/tcp) to SES. AWS would tell you that you have to allow outgoing HTTPS or SUBMISSION traffic to the entire internet.

I created a script a few years ago (based on an AWS script for CloudFront) to solve this problem. The script downloads the list of known AWS IP ranges every time the list is updated, merges the ranges for your specified AWS Region, and then updates Security Groups that contain special tags. While not perfect, this script allows us to restrict outgoing HTTPS or SUBMISSION traffic to known AWS IPs instead of the entire internet. It has been working quite well for the past few years.

I published the code with documentation today. Would gladly accept PRs if you try this and want to help improve the documentation. Enjoy!
https://github.com/jason-klein/aws-lambda-update-security-groups-aws-ip-ranges

Pairing VeraPlus with Jasco GE ZWave Smart Light Dimmer 14294 and Smart Fan Control 14287

I recently purchase several Jasco/GE Enbrighten Z-Wave Smart Switches for use with my VeraPlus Z-Wave Controller. I could NOT get the new smart switches to pair with the controller. I describe two separate techniques I successfully used to pair these switches with VeraPlus.

Here are the specific products I am using. These are NOT referral links.

Jasco GE Enbrighten Z-Wave Plus Smart Light Dimmer 14294
https://amazon.com/dp/B01MUCZA1C

Jasco GE Enbrighten Z-Wave Plus Smart Fan Control 14287
https://amazon.com/dp/B06XTKQTTV

Vera Control VeraPlus Smart Home Controller Hub
https://amazon.com/dp/B01BX9P89Y

How I FAILED to Pair my Jasco/GE Smart Switches to Vera

I initially attempted to add the new Jasco/GE Z-Wave switches through the Vera web interface (and also tried through the Vera mobile app) as a “Jasco In-wall Smart Dimmer” (45857/ZB3001). This was the only device that seemed to be a close match for my new Jasco/GE Z-Wave smart switches.

I kept attempting to reset the switches using a variety of methods and then repeating the pairing process in Vera website or mobile app:

  1. Pulling out the small power (aka “air gap”) button below the toggle switch, holding the up position on the toggle switch, pushing in the small button, continuing to hold the up position for 4 seconds.
  2. Same as above, followed by rapidly pressing up position on toggle switch 10 times.
  3. Rapidly pressing up position on toggle switch 3 times, then rapidly pressing down position on toggle switch 3 times.
  4. And several other possible reset techniques I found online.

None of these methods worked. It turns out, I should NOT have been trying to use the built-in “Jasco In-wall Smart Dimmer” profile when adding the device to Vera. I later noticed that the ZigBee light was blinking on my VeraPlus controller when attempting to add as a “Jasco In-wall Smart Dimmer” (45857/ZB3001). The model number includes letters “ZB”, so that makes sense. Wish Vera would specifically mention “ZigBee” in the existing profile or add a profile for these Z-Wave switches to help others avoid experiencing the same problem.

How I SUCCESSFULLY Paired my Jasco/GE Z-Wave Devices with VeraPlus?

Method 1: Use Vera Web Interface or Vera Mobile App

  1. Go to Devices, Add Device, Choose “Generic Z-Wave Device”, Click Next, Click Next. 60 second countdown should begin.
  2. Very quickly/briefly tap the up position on your Jasco/GE Z-Wave smart switch to begin pairing process with VeraPlus. Vera should recognize the new device as a generic smart device in a few seconds. Give Vera 10-20 seconds to detect the device features and show the device as a dimmable switch. This happens automatically! You may have to leave the devices page and go back to devices to see the updated device.
  3. Assign your new smart switch device to a room and give the device a name.

I successfully used this method with another pair of new Jasco/GE Z-Wave Smart Light Dimmer 14294 and a Smart Fan Control 14287 smart switches after I got my first pair working with the method below. Listing this method first since it is far easier.

If this 3 step method doesn’t work for you, definitely try method 2. In my case, having the VeraPlus near the smart switches could have been key to my success. I moved the VeraPlus controller close to my smart switches and used my laptop to access the Vera web interface. This involved enabling internet sharing on my laptop, plugging Vera into my laptop port, and figuring out the Vera IP address. If you have to move your VeraPlus controller closer to the switches, method 2 is probably your best bet.

Method 2: Use hardware buttons on VeraPlus

  1. First, bring your VeraPlus near the Jasco/GE switches. In my case, that meant unplugging power/network from my main closet, taking the VeraPlus and power cord to room with new switches, then plugging in VeraPlus power cord.
  2. Press the Vera “Select” button until the Z-Wave light on the VeraPlus is flashing, then hold the Vera “Sync” button for about 3 seconds. The Vera Z-Wave light will begin flashing rapidly. Vera is now in “Z-Wave Exclusion” mode, meaning you can force any nearby Z-Wave devices to disassociate from their Z-Wave network.
  3. Very quickly/briefly tap the up position on your Jasco/GE Z-Wave smart switch while watching the VeraPlus Z-Wave light. Notice the light change for a moment, then continue flashing. Repeat for each nearby Jasco/GE switch to force the smart switch to disassociate from Z-Wave, even if the device is new.
  4. Press the Vera “Sync” button for a moment. The Vera Z-Wave light should change from rapid flashing to slow flashing. Vera is now in “Z-Wave Inclusion” mode, meaning Vera is ready to pair with new nearby Z-Wave devices.
  5. Very quickly/briefly tap the up position on your Jasco/GE Z-Wave smart switch while watching the VeraPlus Z-Wave light. Notice the light turn off for a moment, then continue flashing. Repeat for each nearby Jasco/GE switch to force the smart switch to pair with Vera.
  6. Unplug VeraPlus power cord, move VeraPlus back to normal location, plugin to power/network.
  7. When you access Vera web interface or Vera mobile app, you should see each of your new Jasco/GE smart switches at the top of your device list with default names. Assign each smart switch device to a room and give each device a name.

Huge kudos to Youtuber “jediknight” for describing this hardware button method in their video below. I successfully used this method with a Jasco/GE Z-Wave Smart Light Dimmer 14294 and a Smart Fan Control 14287.

VeraPlus- Use Hardware Buttons for Device Inclusion & Exclusion

SmugMug Review 2020

I take MANY photos (5000+ per year) at events with family and friends. I like to share all of these photos and definitely don’t want to lose them!

I subscribed to SmugMug in February 2014 because their service seemed to solve two major problems for me:

  1. I wanted to share a majority of photos with family and friends
  2. I wanted to backup a majority of photos to a third/cloud backup

Fast forward 6 years. I realize I need a more convenient method of uploading photos to meet the two needs above. I uploaded my entire photo collection when I began using SmugMug in 2014, but I have only uploaded about once per year since then.

Overall Experience

Overall, the SmugMug service mostly met my needs. Other people could access most of my collection and I had peace of mind that most of my collection was protected by a third/cloud backup.

I went with the “Power” plan because it allowed me to create a custom domain name for my gallery (photos.jrklein.com). The service initially cost $60/year (2014-2017) and later $72/year (2018-2019).

My gallery contained 20K photos (86GB) in hundreds of galleries sorted in year/month folders. For example, you might browse to our family folder, a 2010 folder, then March folder, then Wedding gallery.

SmugMug did NOT have a native Mac app when I initially uploaded most of the photos in 2014, so the web-based process was VERY slow and time consuming (create a gallery, upload files, wait, repeat) but the end result was nice for family/friends to browse. SmugMug now provides a native Mac upload app that allows you to queue up multiple gallery uploads. The App Store reviews cite many problems, but the app was able to upload photos from Mac Photos on macOS Mojave (10.14.6).

Feature Idea – Automatically Upload Photos from Mac Photos

I currently have to manually upload photos to SmugMug. I wish SmugMug had an automated method of uploading photos. It would be very nice if the SmugMug native Mac upload app could automatically detect and upload any new photos from Mac Photo into private galleries for me to review and publish. Photos could be grouped into galleries for each new “Moment” or “Collection” or maybe just grouped by day or month?

Either way, moderating each gallery (reviewing, marking certain photos private, etc) then making the gallery public would be much faster and more convenient!

Feature Idea – More Convenient Bulk Photo Download

I wish there was a better way to download all of my photos from SmugMug without having to download a ZIP archive for each gallery. Since one of my requirements is to have a third/cloud backup of my photos, I need to be able to more easily retrieve my photos from the service.

SmugMug currently offers downloading all of the photos from a single gallery. The process is not great, plus I have hundreds of galleries so I would have to repeat the process hundreds of times.

Current Gallery Photo Download Process

When I am logged into SmugMug and I browse to a gallery with 3 or more photos, I see a Download All button next to the Slideshow button. I have to download individual photos if a gallery only has 1 or 2 photos.

When I click the Download All button, the website tells me that it is working to create a ZIP archive of the photo files and will email me when a link is ready to download. If I wait long enough, the website tells me that my photos are ready to download and displays a download link:

The ZIP archive does contain the original photo files with the original file names.

Here is output showing the photos I uploaded to a test gallery (album-upload/) and the files that were in the ZIP archive SmugMug created for me (album-204588880-downloads/). Notice that the files have the same MD5 hash? That means they are the EXACT SAME files.

Minor Bug? Take a close look at the screenshot above. My upload folder contains 4 files, but the download only contains 3 files. If you download a gallery archive, upload more photos to that gallery, and attempt to download a new gallery archive, SmugMug apparently does NOT update the archive with the new photo file(s).

Other Bulk Download Options

There might be 3rd party software that can easily bulk download all of my photos from SmugMug since they have an API, but I did not pursue this since my #1 issue was more convenient uploading.

Feature Idea – Make Cancellation Effective on Renewal Date

The cancellation form specifically says “Your account will be closed immediately, and we’re unable to offer refunds for any unused portion of your subscription fees.” I rarely run into this. Some vendors will credit or refund the unused service fees, but most vendors automatically cancel the service on the renewal date.

Sure enough. My account was disabled immediately after clicking “Yes, Close My Account”. Classy.