[lug] Yubikey

Nate Duehr nate at natetech.com
Wed Oct 13 11:38:33 MDT 2010


  On 10/13/2010 8:34 AM, Davide Del Vento wrote:
>> Anybody care to comment on this?  Some fedora projects are adding
>> support for it.
>>
>> http://yubico.com/products/yubikey/
> 1) smaller and lighter than a regular door chain, it's always with me.
So the bad guys know right where to find it. :-)

> 2) fit on any device that accept an USB keyboard (which means any
> device I care about, but if you care about and iPhone, you are
> out-of-luck, not sure about androids - actually I'd love to hear: does
> an android phone accept an external USB keyboard?) There isn't any
> weird windows-only driver to install
It's a good thing they're OTP's, since sniffing a USB keyboard is pretty 
easy. :-)

> 3) very fast and convenient to use: just plug it an push the button!
> It even send the "enter" at the end of the password!

That pushbutton just triggers it to send the OTP, right?  It's not 
biometric based?


> Just as a comparison, other OTP device I used where:
> a) bulkier (one was like a small table calculator, a few others are
> like a large car key)

I have a number of customers who require the "large car key" variety and 
one that has the "calculator" variety.  They all seem to work fine.  
They don't plug into the machine, you just read the rotating numbers on 
the screen.

> b) some required driver installation, which made them unsuitable for
> internet cafes and/or my linux laptop (actually I never used those,
> that requirement was a deal breaker for me)

Never seen any that plugged in before this one, here.  YMMV.
> c) some require a password to be typed on the device tiny keyboard

The calculator one requires that here.
> d) some require the password to be copied from the device display to
> the computer, on some you even have to be quick enough because the
> password expires every few seconds!

More like 20-30 seconds.  It's not THAT fast.  There's a countdown bar 
on the side of most of them, if it's about to expire, you just wait.  
I've also noticed that most servers are tolerant of using the previous 
or next one for a minute or so, configurable by the security admins.

> In conclusion, I'm pretty happy with the yubi.

Seems like it would work pretty well.  They're careful not to list 
pricing on their website, as best as I could tell.

> Ah, one last thing: in the default setting, the yubikey has the whole
> OTP in it, which means if somebody gets it they just need to know your
> username and they can access your machine. On our systems they
> configured a "prefix" to the password, so I first type this prefix on
> the keyboard, then the yubi "completes" the OTP. Somebody that gets
> physical posses of the yubi needs to know your username and prefix
> (basically a password) before they can make any use of it.

All of my customers have always required the PIN on all of these 
devices.  Follows two of the three basic rules of authentication:

1) Something you know. (Password, PIN, whatever)
2) Something you are. (Biometrics)
3) Something you have. (the key fob)

Most leave out #2.

My Lenovo laptop has a fingerprint reader, but it's been proven to be 
weak sauce and easily tricked via various methods.

:-)

Fun discussion.

Kinda silly overall, though... basically the move from passwords to keys 
just means that the bad guys have to get ahold of the key, and the 
easiest way to do that... is to get ahold of YOU.  A gun to your head, 
you'll hand over the key AND the PIN... and if it had biometrics, swipe 
your finger (or they'd cut it off and use it anyway)...

So... not sure what real security these provide.  Instead of the bad 
guys being script kiddies banging on multiple passwords and usernames, 
now the bad guys just have to throw you in the back of a van and they 
have everything they need.  Not sure that's really "security", but it is 
good security theater and it appeals to geeks and geek bosses who think 
the key fob is "cool".

Cost vs. reward... if you have access to any data that would be worth 
someone throwing you in the back of a van for a few hours, along with 
the associated risks, these aren't the appropriate solution.  It's all 
economics.

Most networks and things the vast majority of us access, aren't worth 
much more than a strong password.  Certainly they're NOT worth adding  
the risk that an employee would be kidnapped for their key fob.

Nate



More information about the LUG mailing list