I'm at 2 out of 4 ports dead now after 1,5 years on a $10 hub so it's not bad :) In addition, it's an iMac and the ports at the back are a nightmare to use. I taped the hub to the 'foot' of the iMac so it's much easier to use.
I don't use this mode though but PIV + PIN.
If the author hasn't figured out you can assign a PIN to the keys you store on the Yubi, then I don't see why I should waste my time reading their rambling blog post.
Good luck taking my Yubikey and trying to SSH to my kit. Won't do you much good without the PIN that is in my head. ;)
P.S. You can also configure the Yubi to lock and mandate a PUK after too many wrong PINs.
Try being a little nicer. If you feel that the blog post is a waste of your time, here's a revolutionary idea – don't say anything? There are 29 other posts on the front page, maybe one of those other ones will be worth your time.
As it is, the UX of the poster's solution is totally different from yours; it enables a one-time, contactless authentication during login. Yours requires a ton of manual input every time the Yubikey is used for SSH. There is some different in the security models here, but the author's solution is broadly different from yours, and to me, much more convenient (I use a Yubikey with a PIN for work and it's kind of a pain).
That is a falsehood and deserves to be called out.
I don't mind "revolutionary ideas", but don't use your platform to spread FUD.
Thanks for reading, though, and for commenting!
If you're using it as a second factor via U2F, the point isn't to be better than a password or to replace a password. The point is to be different. Specifically, the point is to be proof of physical possession. If they steal it, then you still have a memorized password as an authentication barrier.
The problem you raise in your blog post is a good one. People do tend to forget their security keys in their computers. However, making the security key the only required factor seems counterproductive. As an alternative, how about a background daemon that enumerates attached U2F/FIDO devices and reminds you to remove anything that's left in for more than a couple minutes?
Most places where I use the FIDO feature of Yubi (e.g. Github), you still need to provide username and password. So an abandoned Yubi is still of limited use assuming your password is stored securely.
If you’re the kind of person liable to get personally targeted for nation state level attacks, then you definitely are going to want to unplug your yubikey and keep it on your person. For the rest of us, a hardware 2FA token is enough to protect against a sim swap attack, which is probably enough.
Groups also potentially at risk:
* Targets for industrial espionage (you might not be interesting but your employer is)
* Those believed to hold larger amounts of cryptocurrency
What does make it incredibly dangerous is that it also applies for eg “sudo”: if you don’t have any additional protection, it effectively means that any exploit in any app can be immediately extended to a local privilege escalation, as there is no additional protection in place.
In other words, be careful what you wish for. :)
Maybe yes, maybe no. Do you have a backup YubiKey? If so, then you need to keep it in a separate location (i.e. don't defend against losing your keys by putting both your primary and your backup on the same physical keychain). Are you putting it in a safe? What safe can you buy that is sufficient protection against nation-state level attacks? How often do you check your safe to make sure that your backup hasn't been stolen? What process do you have in place to revoke and replace your backup YubiKey in case you do discover that the backup has been stolen (do you have a list of every website at which you ever enrolled the backup, and how do you safeguard the list)?
IMO unless you are very seriously paranoid, you buy a "nano" in-slot YubiKey if your usage pattern targets a single machine, and a keychain YubiKey (with NFC) if you need portability between, say, your work laptop, your home desktop, and your phone. It's not a question of security but of your usage pattern.
Even after the edit at the top regarding PIN it still seems to not get the main point of a U2F token: It's physical. It's incredibly hard to extract secrets from it. It's local to where it physically is.
If I have a password then there are probably a couple of services and people that could reasonably get to it either by hacking the service the password unlocks (in storage if its a really insecure service or in transit the next time I log on), or can extract it from my password manager/memory/browser or whatever.
The point of a U2F token for me is to change the number of people who can reasonably authenticate as me from "everyone who has my password" to "everyone who have a physical key I keep within a reasonable distance from me that is incredibly hard to copy and has my password". U2F also validates auth origins quite a lot better than many other methods, although I guess that is not relevant to this argument.
A hardware U2F token is not the end-all be-all security, but it reduces potential attackers a lot.
Anyway, the main thing I wanted to mention is that the use of public key encryption means this is quite different from the device having "my password". Even in the on-device ("resident credential") scenarios the authenticator doesn't have a password which is a shared secret, it actually has a private key which it won't divulge - much better.
Implementation errors by a web site can leak your password, which because it's a shared secret can then be used by adversaries to log in. It's impossible to be sure a site didn't get this wrong, even if you're confident they are competent and well meaning.
In contrast the WebAuthn (and U2F) design doesn't give sites enough information to impersonate you even if they wanted to, only to authenticate you. This is a familiar pattern from public key cryptography, receiving the certificate for news.ycombinator.com allows me to verify this is news.ycombinator.com but not impersonate them. Likewise, when you enroll a FIDO authenticator to use Facebook, Facebook doesn't learn how to impersonate you, even on Facebook, only a way to verify that you still have that authenticator. [And the design is even more careful, it uses completely independent credentials for each site, so when Microsoft bought GitHub they actually could not merge the FIDO-based authentication between GitHub and Microsoft properties, even if they thought that was a good idea it's deliberately impossible. ]
If you are talking plain USB mass storage for keys I disagree.
Edit: Lenovo Yoga, Lenovo X1 Carbon have NFC too.
Edit 2: Dell Precision 7750 also offers it.
Edit 3: Models with pre-installed NFC module are very scarce, this site [0] lists only 204 occurrences among 7136.
Sadly, it’s slow and unreliable.
But I’m also a pragmatist. While I run Linux everywhere I reasonably can, my daily driver is macOS and I can’t help but wonder if a fingerprint reader would be a better solution.
On my Mac, the fingerprint reader can unlock the system immediately and works across the operating system for root access, including sudo. (There’s a pam module.)
Locking can be done OS-wide using a keystroke (Cmd+Crtl+Q), touchbar button, or by closing the lid.
Windows has had similar capabilities far longer than macOS.
The stock OS is ready out of the box with a full suite of integrated applications. While there are better versions of all of them, most are high quality. Though, I haven’t found a PDF reader better than Preview and Apple Notes is very hard to beat as a general note taking tool.
The base OS has color syncing. I was able to hook up a professional grade printer, have the OS automatically install the drivers, and produce color accurate prints using Preview. The system print dialog allowed me to fully configure the printer. No specialized tools required. There’s even an iOS app that can do the same thing in a more limited fashion.
Never had a driver issue or had to modify a configuration file to get hardware to work properly. (Have done GUI tweaks via defaults.)
When it comes to specialized applications, there are a lot of excellent applications written specifically for macOS. Some come with iOS apps. (1Password is high on my list.)
Due to the industries I work in, Microsoft Office is a hard requirement. Libre Office is not an option.
Time machine has no equal when it comes to backups and restoring to new hardware. I haven’t done a clean install since 2008. In two hours I can completely clone my current machine.
This is just a few of the many reasons I use macOS. Frankly, they are more important to me than openness of platform or deep control of my devices.
That does not mean I don’t appreciate Linux. I love Linux. There is nothing better for servers than Linux. I have older laptops loaded with Linux but they are a hobby for me.
Linux fills a very important place in the world. Frankly, the world needs open operating system and people who enjoy using it. But I have neither the time, expertise, or inclination to do so on my primary machine.
Also, please sign your git commits.
[1] https://support.microsoft.com/en-us/help/4028111/windows-loc...
I wonder if there is something like pam_piv? I use PIV already for Mac & Windows... Suppose I should look for it myself :)
Don’t forget to set a password also for the YubiKey Authenticator app. Otherwise I believe anyone who has your key would see the websites with which you have Fido U2F and use it.
From what I can see YubiKey Authenticator is a TOTP authenticator. So that's completely orthogonal to U2F (and less safe, although more familiar to users who have things like Google Authenticator)
With U2F non-resident credentials don't leave any trace. If somebody has stolen a working authenticator they'd need to guess sites at which its non-resident credentials would be valid and then try it.
The way we use them at Google, the keys are associated to particular machines and human accounts. You can't just remove a key from one machine and stick it into something else. It is the combination of the machine and the key that is enabled. A key can be deregistered/wiped, and assigned to a different machine...but you need to be properly logged in to make that happen. In the context of a corporation that is relatively straightforward, but perhaps for personal use it is less so. Actually, without the right infrastructure in place, it's quite likely to be a lot more complicated.
There's something strange going on here, like this article was written by AI or something. It's using words out of context, or just making plainly/obviously false statements.
