<div><br></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 23, 2020 at 18:50 William Herrin <<a href="mailto:bill@herrin.us">bill@herrin.us</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari <<a href="mailto:warren@kumari.net" target="_blank">warren@kumari.net</a>> wrote:<br>
> Well, yes and no. With a Yubiikey the attacker has to be local to<br>
> physically touch the button[0] - with just an SSH key, anyone who gets<br>
> access to the machine can take my key and use it. This puts it in the<br>
> "something you have" (not something you are) camp.<br>
<br>
Hi Warren,<br>
<br>
They're both "something you have" factors. The yubi key proves<br>
possession better than the ssh key just like a long password proves<br>
what-you-know better than a 4-digit PIN. But the ssh key and the yubi<br>
key are still part of the same authentication factor.<br>
<br>
<br>
> Not really -- if an attacker steals my laptop, they don't have the<br>
> yubikey (unless I store it in the USB port).<br>
<br>
You make a habit of removing your yubi key from the laptop when nature<br>
calls? No you don't.<br>
<br>
<br>
> If they *do* steal both,<br>
> they can bruteforce the SSH passphrase, but after 5 tries of guessing<br>
> the Yubikey PIN it self-destructs.<br>
<br>
What yubikey are you talking about? I have a password protecting my<br>
ssh key but the yubikeys I've used (including the FIPS version) spit<br>
out a string of characters when you touch them. No pin.<br>
</blockquote><div dir="auto"><br></div><div dir="auto">The yubikey does many things depending on how it’s configured. None of mine use the touch to spit out OTP mode, that is the factory mode though yes. Other modes can be password protected (it uses the PIN nomenclature which is confusing, it definitely accepts ASCII and nay even take binary data as a PIN depending on mode of operation) — it can present as industry standard smart card ( I have one with a pin/password for code signing in Visual Studio f/ex...along with a backup kept locked elsewhere)</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Regards,<br>
Bill Herrin<br>
<br>
<br>
-- <br>
William Herrin<br>
<a href="mailto:bill@herrin.us" target="_blank">bill@herrin.us</a><br>
<a href="https://bill.herrin.us/" rel="noreferrer" target="_blank">https://bill.herrin.us/</a><br>
</blockquote></div></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><br>"Genius might be described as a supreme capacity for getting its possessors<br>into trouble of all kinds."<br>-- Samuel Butler<br></div>