Setting up MFA With Your New NitroKey Pro 2 and Fido 2
Posted by Security Team on
Table of Contents
What is OTP?
You may have read our last article about the importance of MFA or have purchased a NitroKey Pro 2 or NitroKey Fido 2 and want to know how to use this excellent security tool in your strategy to help keep your online accounts safe.
Please keep reading to find out what it is and how to use it.
A one-time password or passcode (OTP) is a unique string of numbers or characters authenticating a user for a single login and or transaction.
OTP helps adds a second layer of authentication to logins that an unverified user must pass before accessing an account.
The OTP password provides a system for logging on to a service or network using a unique time-based password that can be used only once, as its name suggests.
OTP prevents some forms of identity theft and brute force attempts by ensuring that there is another added measure to logging in that is not just your username and password
What is Fido?
Very much like OTP, there are many other MFA (Multi-Factor Authentication) alternatives we can use to validate our logins Fido (U2F) and Fido2.
FIDO (Fast Identity Online) authentication is a set of standards for fast, simple, strong authentication.
These standards are developed by the FIDO Alliance, an industry association with representatives from a range of organisations, including Google, Microsoft, Mozilla, and Yubico. The standards enable phishing-resistant, passwordless, and multi-factor authentication. In addition, they improve online UX by making strong authentication easier to implement and use.
Some of the web’s most popular tools and apps already use FIDO authentication, including Google Accounts, Dropbox, GitHub, Twitter, and Yahoo Japan.
https://developers.google.com/identity/fido
Fido uses a hardware key like the NitroKey Fido2 that, once plugged in or the button is pushed, can log you into your accounts using passwordless authentication as long as you have your key with you or as an MFA method with a password.
But not all companies and websites are using Fido.
OTP is currently the more common method of MFA. However, Fido2 and U2F are picking up traction.
To see a list of websites that use MFA, have a look at:
Setup OTP With The NitroKey Pro 2
Two OTP modes exist:
- Time-based One-time Passwords (TOTP) are widely used for websites. If unsure, assume you are using this mode.
- HMAC-based One-time Passwords (HOTP) is used for local applications and computer logins.
To use One-Time-Passwords with your Nitrokey Pro 2 you need to download and install the latest Nitrokey App.
The use of One-time Passwords (OTP) is called different things on the various services that support it.
Sometimes it is referred to as Multi-factor Authentication (MFA), sometimes it is Two-factor Authentication (2FA) or just “authentication via authenticator app” like Google Authenticator.
Most of these services are compatible for usage with the Nitrokey Pro2. The following instructions show how to enable OTP on the NitroKey Support Forum. The procedure is quite similar on most services like Protonmail, Tutanota, Nextcloud, etc.
You will need to have the Nitrokey App installed to use the OTP feature of the Nitrokey Pro.
Let’s Begin
Login to the website which supports OTP, in this example, the support forum of the NitroKey website. Usually, you find the option to enable two-factor authentication under your profile or in the settings.
Most of the time, you will get a QR-Code as seen below usually for 2FA apps. There should be an option, to show the secret key directly.
We need to copy the secret code.
This is what the Nitrokey is actually protecting. You may create a backup of it now (in case the Nitrokey get lost or breaks) by writing it down on a sheet of paper and storing it securely. But be aware that anybody who is in possession of this secret code, can create one-time passwords for your account! Please note that you won’t be able to backup this code, once it is stored in the Nitrokey!
Now start the Nitrokey App and open the “OTP Slot Configuration”.
Paste in the secret key in the corresponding field and choose an appropriate slot name. Click on “Save” and type in your admin PIN if requested.
After saving the slot you can go to “Menu” -> “Passwords” -> YourSlotName to get your very first one-time password.
The one-time password is copied to your clipboard automatically. You just need to paste it to the field on the website to confirm the correct setup and thus to activate the two-factor authentication.
From now on you will get asked for a one-time password additionally to your other credentials if you try to login the the website. You just need to open the Nitrokey App and go to “Menu” -> “Passwords” -> YourSlotName again to get the one-time password.
Setup Fido (U2F) With NitroKey Fido 2
Now we are going to setup Fido U2F and use Tutanota mail as the example.
Note: NitroKey Fido 2 does not use the NitroKey app.
Find the area that allows to you add Second Factor Authentication like in the OTP example.
Select U2F or Fido 2 as the type if it is available (not all websites utilise U2F or Fido 2) and give it a name.
You will be prompted to insert your Nitrokey Fido 2 so we can register it.
So go ahead and insert your NitroKey Fido 2 to your USB port on your computer or phone if your using an adaptor.
Don't forget to write down your recovery code and store it somewhere safe.
Otherwise you lock your self out of your account (not fun).
That's it! now when you login you will be promoted for your username, password and will then need to insert or touch your NitroKey (if its already plugged in) to login to your account.
Conclusion
We hope this has helped you in setting up your NitroKey whether that be OTP or U2F/Fido 2 to help secure your digital life and don't forget Nitrokey has many many more features we haven't even touched on.
Be sure to get in touch with our team if you have any questions regarding NitroKey or any of our other products.
Sources