TL;DR

Please stop using passwords. My stack is based on Yubikey and 1Password. Can I be a passwordless team member? Check my journey and answer the question. I improved my security with the following steps:

  • Entra ID accounts without password,
  • extended security on GitHub with GPG key,
  • moved the SSH keys to 1Password,
  • started using 1Password CLI to access secrets for ServicePrincipals.

Big Picture

Only Keys

Yubikey

I started my journey with Blue Yubikey. After a couple of weeks, I notice two issues:

  • I need to have a minimum of two keys (one for backup) - I lost one key and needed help accessing my resources.
  • Oh no - there are other keys in the Yubico portfolio - with GPG support - I think I need a next key - or keys.

I decided to buy a new one (yes, two of them :)) - Yubikey 5 series.

Passwordless Entra ID

No-Password-At-All

  • Now I have access with passwordless to Entra ID tenants (only with enabled FIDO2 authentication) link

There are only a couple of steps to enable it(with the Authentication Policy Administrator role):

  • Browse to Protection > Authentication methods > Authentication method policy.
  • Under the FIDO2 Security Key method, click “All users or dedicated group”.
  • Click Save.

Gpg key for GitHub

It was not easy for me - but within a couple of hours, I could use my Yubikey to store my GPG key and use it with GitHub. Now I can sign all commits with my key:

  • I can meet the requirements of the GitHub commit signing policy
  • In addition, I can do that with remote development - use my key with the RDP session and sign commits (so the USB key is forwarded to the remote - how nice)
  • Using Your YubiKey with OpenPGP: Tutorial.
  • Kleopatra will be your friend to check what is going on with your key Kleopatra.
  • and also a nice video YouTube.

gitconfig:

[user]
    email = [email protected]
    name = MJendza
    signingKey = PUT_YOUR_KEY_HERE
[core]
    sshcommand = plink -agent
[gpg]
    program = gpg
    format = openpgp
[commit]
    gpgSign = true
[tag]
    forceSignAnnotated = false
[gpg "ssh"]
    program = ssh-keygen
    allowedSignersFile = ""

Finally, I can use my key to sign commits and push them to GitHub. The result: Signed Commit

1Password

As my basic stack to support me in not repeating the same password in multiple places, I decided to use 1Password. I decided to test SSH support with 1Password. So now I can use SSH key stored with 1Password to connect to my resources - like Ubuntu VM in Azure.

I am fully in love with the VC Code and Remote SSH Development. I can connect to the remote resources and work with my sandboxes and proof of concepts without any issues and with a single place of key storage.

Please follow the instructions from VC Code documentation link

Setup

  • Please follow the instruction from 1Password link
  • OpenSSH Agent is required

sample ssh config:

Host raspberry-pi
  HostName 192.168.200.50
  User pi
  IdentityAgent ~/.1password/agent.sock

1Password CLI

I started testing 1Password CLI - I can use it to manage my service principals and other secrets. Please check the instructions link.

The most important is to use secrets - create environment variables and use them in a .Net application - in my case, it is a console application to set up Azure AD B2C configuration for the tenant. Please check the documentation.

Summary

I now use two places with credentials - Yubikey and 1Password. For anything I need, the password source of true is 1Password. With Yubikey, I protect access to organizational resources like Entra ID, but please remember that I need to have a backup key or password as a backup.