TL;DR
Please stop using passwords. My stack is based on Yubikey and 1Password. Can I be a passwordless team member? Check my journey and answer the question. I improved my security with the following steps:
- Entra ID accounts without password,
- extended security on GitHub with GPG key,
- moved the SSH keys to 1Password,
- started using 1Password CLI to access secrets for ServicePrincipals.
Big Picture
Yubikey
I started my journey with Blue Yubikey. After a couple of weeks, I notice two issues:
- I need to have a minimum of two keys (one for backup) - I lost one key and needed help accessing my resources.
- Oh no - there are other keys in the Yubico portfolio - with GPG support - I think I need a next key - or keys.
I decided to buy a new one (yes, two of them :)) - Yubikey 5 series.
Passwordless Entra ID
- Now I have access with passwordless to Entra ID tenants (only with enabled FIDO2 authentication) link
There are only a couple of steps to enable it(with the Authentication Policy Administrator role):
- Browse to Protection > Authentication methods > Authentication method policy.
- Under the FIDO2 Security Key method, click “All users or dedicated group”.
- Click Save.
Gpg key for GitHub
It was not easy for me - but within a couple of hours, I could use my Yubikey to store my GPG key and use it with GitHub. Now I can sign all commits with my key:
- I can meet the requirements of the GitHub commit signing policy
- In addition, I can do that with remote development - use my key with the RDP session and sign commits (so the USB key is forwarded to the remote - how nice)
Instruction and links:
- Using Your YubiKey with OpenPGP: Tutorial.
- Kleopatra will be your friend to check what is going on with your key Kleopatra.
- and also a nice video YouTube.
gitconfig:
[user]
email = [email protected]
name = MJendza
signingKey = PUT_YOUR_KEY_HERE
[core]
sshcommand = plink -agent
[gpg]
program = gpg
format = openpgp
[commit]
gpgSign = true
[tag]
forceSignAnnotated = false
[gpg "ssh"]
program = ssh-keygen
allowedSignersFile = ""
Finally, I can use my key to sign commits and push them to GitHub.
The result:
1Password
As my basic stack to support me in not repeating the same password in multiple places, I decided to use 1Password. I decided to test SSH support with 1Password. So now I can use SSH key stored with 1Password to connect to my resources - like Ubuntu VM in Azure.
I am fully in love with the VC Code and Remote SSH Development. I can connect to the remote resources and work with my sandboxes and proof of concepts without any issues and with a single place of key storage.
Please follow the instructions from VC Code documentation link
Setup
- Please follow the instruction from 1Password link
- OpenSSH Agent is required
sample ssh config:
Host raspberry-pi
HostName 192.168.200.50
User pi
IdentityAgent ~/.1password/agent.sock
1Password CLI
I started testing 1Password CLI - I can use it to manage my service principals and other secrets. Please check the instructions link.
The most important is to use secrets - create environment variables and use them in a .Net application - in my case, it is a console application to set up Azure AD B2C configuration for the tenant. Please check the documentation.
Summary
I now use two places with credentials - Yubikey and 1Password. For anything I need, the password source of true is 1Password. With Yubikey, I protect access to organizational resources like Entra ID, but please remember that I need to have a backup key or password as a backup.