Prometheus        
Results 1 to 9 of 9

Thread: I got a new Yubikey 4 - Are you interested in staying secure online?

  1. #1
    Flashaholic* techwg's Avatar
    Join Date
    May 2007
    Location
    United Kingdom
    Posts
    1,262

    Default I got a new Yubikey 4 - Are you interested in staying secure online?

    https://www.youtube.com/watch?v=0sPBr8Yt6pU

    This video covers my thoughts on the new Yubikey 4, what it's used for, what I use it for, why I like it etc.

    Basically it's main purpose is two factor authentication but there are quite a few uses for these new ones. You may find it interesting if you are unaware of these little USB thumbdrive looking things.

  2. #2
    Flashaholic*
    Join Date
    Jul 2016
    Location
    Bergen, Norway
    Posts
    710

    Default Re: I got a new Yubikey 4 - Are you interested in staying secure online?

    I'm a huge fan of these.
    A single key can hold keys for both PGP and SSH (smart card-style, so no extraction of private key), and still be used for two factor authentication with FIDO U2F (google, Dropbox, GitHub and so on, I think also Facebook now?).

    FIDO U2F is a bit special in that it works with the browser (chrome, opera and soon Firefox) and links the 2FA-check to the domain used in the browser, providing extra security against phishing as well.

  3. #3
    Flashaholic* vadimax's Avatar
    Join Date
    Dec 2015
    Location
    Vilnius, Lithuania
    Posts
    2,068

    Default Re: I got a new Yubikey 4 - Are you interested in staying secure online?

    And what would happen if anyone steals that key? And that “anyone” has physical access to your terminal...

  4. #4
    Flashaholic*
    Join Date
    Jul 2016
    Location
    Bergen, Norway
    Posts
    710

    Default Re: I got a new Yubikey 4 - Are you interested in staying secure online?

    Quote Originally Posted by vadimax View Post
    And what would happen if anyone steals that key? And that “anyone” has physical access to your terminal...
    With most of the services Yubikeys are used with, it's used with FIDO U2F, which is a second factor authentication, not the whole authentication.

    You can compare it to RSA tokens that spit out random-looking 6 or 8 digit numbers that change over time, and you use it together with a password.

    Compared to that though, the Yubikey is using stronger cryptography, and you can use a single key with multiple services, without the different services knowing it's the same token. It's also stronger in that it signed specifically for the site you're at, providing significant protection against phishing.

    Now, you're right that theft would be an issue, but no more with the Yubikey than an RSA token, and theft of the token alone gets you nowhere.

    It's arguably somewhat safer from theft, because by using the same token with multiple services, you'd be a lot more likely to notice if the token went missing.

    For things like SSH and PGP keys, you have password protection, including an attempt-counter, so the token can wipe itself if too many incorrect attempts are made.

    If an attacker has physical access to terminal, and sufficient skills and resources, I'd be f*ed no matter what, and that's a bit outside the scope that the Yubikey tries to solve. :-)

    There's an old cliché that "security isn't a product", but it holds true, and it very much applies here. You can't just buy a yubikey and be secure, but you can use it to significantly upgrade some of the authentication-specific parts of a larger security plan for example.

  5. #5
    Flashaholic* vadimax's Avatar
    Join Date
    Dec 2015
    Location
    Vilnius, Lithuania
    Posts
    2,068

    Default Re: I got a new Yubikey 4 - Are you interested in staying secure online?

    Well, the next question would be: how do USB keys fit in environment where USB ports are disabled?

  6. #6
    Flashaholic*
    Join Date
    Jul 2016
    Location
    Bergen, Norway
    Posts
    710

    Default Re: I got a new Yubikey 4 - Are you interested in staying secure online?

    Quote Originally Posted by vadimax View Post
    Well, the next question would be: how do USB keys fit in environment where USB ports are disabled?
    If the port is simply disabled (disconnected for example), then I imagine the Yubikey would still fit physically just fine. :-p

    On a more serious note, if that's a huge concern - physical access to the machine by attackers - then you do have bigger problems.

    I'm not arguing for Yubikeys as an end to all problems, but it's an interesting and significant upgrade for a lot of people and use cases. The majority of people don't disable their USB-ports for example.

  7. #7
    Flashaholic* techwg's Avatar
    Join Date
    May 2007
    Location
    United Kingdom
    Posts
    1,262

    Str Re: I got a new Yubikey 4 - Are you interested in staying secure online?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    They are truly fantastic. I have now bought a Neo, which is their NFC enabled model. Now I can get my time based one time codes (think, google authenticator app) built into the Yubikeys and now I can use the Yubico Authenticator app to easily interface with my Yubikey Neo and get my TOTP (one time passwords) without the actual secret data that is needed to generate them actually being on the phone it's self which could easily get compromised.

    You are right, I think facebook now support U2F, but as I trust facebook and it's owner about as much as I do a thief in the night, I could not tell you anything further as I won't have a facebook account. There is such a thing as "too" social and people come out of the woodwork on that site.

    They really have been well designed with strong security in mind. While U2F it's self has no secondary protection, in and of it's self (the physical Yubikey is all you need), the point is that it is merely a second factor, meaning they still need your password as well. So you can login with backup methods and revoke your stolen yubikeys and replace them if desired.

    For example, (now that I have set it up already) it is super easy for me to sign a message, by typing my message, copying it, clicking the Kleopatra program and telling it to sign the keyboard, then entering my Yubikey PGP pin code which is between 6 and 8 characters long and it is authenticated and signs the contents as you will see by the time I have finished typing. Super easy, super secure.


    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCAAdFiEETCPBQOi+4zt4WNmG35RfXGFNmOYFAlnX53 0ACgkQ35RfXGFN
    mOYjBhAAh4ht/dSnFvvVqWlpSu+EDhmc/fal4McuXCROlrAyUXbr0zu7ujCWfJrP
    u1KVwhhjqpMFzykohjFVlmYeuHooOhIXyexsfYQW1WNEAtjV7M T2IaaseKuzt/qv
    Yrbd+2SG3ZbDJs09o0p2rhde1tHSRsotM1/gJgcrx6hmCLecG2h+yVCRsbFLvpfZ
    9QPMBzGItsoJR720g8393M0sn4IoPZsNuB2oPZ+mSV0hR8JlYa JshjJD6JCc2wL+
    qxFgR0Pnci5Fkv2hGQwd6YIe6czj3lswzx1zmcikVLZbMbuIoq gKMp1mTbpPK3aH
    HP5i7VVJqq+cMB1vIFT8FZwHOaarhe651AI/g6uc0211Pq3+tG14zZVlH6U8mK9N
    fw2O9Mraj2ydgGkx87uB7zG9hW83UMZUkFGfZAJfEaiSW4I/HLP0Z+wumuKCIBTo
    hYS3jL1W05UKQG5vYOvMCf4a0gi71Qe5gJ030tk52+0YmMzWX8 2/PxM7jALwS9Lr
    rt3u0A6lkB5Bd8NrGKPAdPNXci6We6OlsYURSQInZObrLNmjma SSWf3RP+0IZGHe
    oeAU55ugyxAdMX5Umuu3zJirxiqCDoz54VOtfpYyy1HkWIAVpT IbwrcBXNE40lTY
    IaMpu/BysMCSaozs9CK/ko+25jdpr5M9Gj50tVYgO6dH/tA5SvQ=
    =QnsC
    -----END PGP SIGNATURE-----

  8. #8
    Flashaholic
    Join Date
    Apr 2001
    Location
    New Jersey
    Posts
    155

    Default Re: I got a new Yubikey 4 - Are you interested in staying secure online?

    Quote Originally Posted by techwg View Post
    https://www.youtube.com/watch?v=0sPBr8Yt6pU

    This video covers my thoughts on the new Yubikey 4, what it's used for, what I use it for, why I like it etc.

    Basically it's main purpose is two factor authentication but there are quite a few uses for these new ones. You may find it interesting if you are unaware of these little USB thumbdrive looking things.
    I have the special-edition Verisign-programmed Yubikey which I got to use with the peculiar 2FA that eBay/PayPal implemented. Because third-party merchants use web links to PayPal as a payment processor, this is fraught with problems and rarely works correctly except on eBay itself. They have since de-emphasized physical tokens and are advocating SMS [ugh].

    Recently got a USB/NFC-enabled token when I discovered that my employer's email allows U2F in addition to the usual callback, SMS, and one-time codes. It's a shame that so few services that need 2FA (banks, etc) rarely implement it. For web browsing it would also be nice if there were more choices in U2F-enabled browsers (currently only Chrome and Opera).

  9. #9
    Flashaholic*
    Join Date
    Jul 2016
    Location
    Bergen, Norway
    Posts
    710

    Default Re: I got a new Yubikey 4 - Are you interested in staying secure online?

    Quote Originally Posted by schuster View Post
    Recently got a USB/NFC-enabled token when I discovered that my employer's email allows U2F in addition to the usual callback, SMS, and one-time codes. It's a shame that so few services that need 2FA (banks, etc) rarely implement it. For web browsing it would also be nice if there were more choices in U2F-enabled browsers (currently only Chrome and Opera).
    It’s getting there in Firefox as well, it’s basically in testing now.

    I really like the FIDO U2F standard, allowing for single use unlimited sites and unlimites accounts at those, without cross-reference, and with built in anti-phishing. They got a lot of stuff right.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •