[lug] Yubikey

Davide Del Vento davide.del.vento at gmail.com
Wed Oct 13 08:34:47 MDT 2010 

> Anybody care to comment on this?  Some fedora projects are adding
> support for it.
>
> http://yubico.com/products/yubikey/

I guess you know "everything" or at least "enough" on the OTP (one
time passwords), so I'd skip that part.

I am an user of yubikey and I think they are a great product. I don't
know the details (and thus the security) of the algorithm they
implement, but since it has been picked by our (super-paranoid, I'd
say) security group, I assume it's very sound.
>From the user perspective, it's much more convenient than any other
OTP device I've used in the past, or I am using now. In fact yubis
are:

1) smaller and lighter than a regular door chain, it's always with me.
2) fit on any device that accept an USB keyboard (which means any
device I care about, but if you care about and iPhone, you are
out-of-luck, not sure about androids - actually I'd love to hear: does
an android phone accept an external USB keyboard?) There isn't any
weird windows-only driver to install
3) very fast and convenient to use: just plug it an push the button!
It even send the "enter" at the end of the password!

Just as a comparison, other OTP device I used where:
a) bulkier (one was like a small table calculator, a few others are
like a large car key)
b) some required driver installation, which made them unsuitable for
internet cafes and/or my linux laptop (actually I never used those,
that requirement was a deal breaker for me)
c) some require a password to be typed on the device tiny keyboard
d) some require the password to be copied from the device display to
the computer, on some you even have to be quick enough because the
password expires every few seconds!

In conclusion, I'm pretty happy with the yubi.

Ah, one last thing: in the default setting, the yubikey has the whole
OTP in it, which means if somebody gets it they just need to know your
username and they can access your machine. On our systems they
configured a "prefix" to the password, so I first type this prefix on
the keyboard, then the yubi "completes" the OTP. Somebody that gets
physical posses of the yubi needs to know your username and prefix
(basically a password) before they can make any use of it.

HTH,
;Dav

More information about the LUG mailing list