South Africa On Lockdown - Coronavirus - Update!

• Previous message (by thread): crypto frobs
• Next message (by thread): South Africa On Lockdown - Coronavirus - Update!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Mar 23, 2020 at 4:53 PM Sabri Berisha <sabri at cluecentral.net> wrote:
>
> Hi,
>
> In my experience, yubikeys are not very secure. I know of someone in my team who would generate a few hundred tokens during a meeting and save the output in a text file. Then they'd have a small python script which was triggered by a hotkey on my macbook to push "keyboard" input. They did this because the org they were working for would make you use yubikey auth for pretty much everything, including updating a simple internal Jira ticket.
>
> Thanks,

This is an artifact of a poor implementation, not of a yubikey or any
other security.  Yubikeys support MANY methods of authentication.  I
have a number of them, a couple of them are setup for TOTP (using
yubico authenticator), FIDO (native), and use the GPG functionality
for ssh public key auth via agent.  Pre-generating or replaying will
not work with any of those methods.

So saying "Yubikeys are not very secure" is very incorrect.  The
specific deployment decisions weren't great in your specific case.
Any OTP system based on incrementing counters could be abused in this
manner if the OTP keys can be generated rapidly and saved.  TOTP is
the common method for solving this with 2FA.  Yubikeys also support a
number of challenge/response type authentications (which is
effectively what my GPG setup does, and what FIDO sort of does)

• Previous message (by thread): crypto frobs
• Next message (by thread): South Africa On Lockdown - Coronavirus - Update!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]