[lug] Yubikey

[Davide Del Vento]

Hi.

>>> http://yubico.com/products/yubikey/
>> 1) smaller and lighter than a regular door chain, it's always with me.
> So the bad guys know right where to find it. :-)

But I don't use Google Latitude or the likes, so it might be harder to
find me (well, not *that* hard, but at least it is not broadcasted to
the world in real time)

>> 3) very fast and convenient to use: just plug it an push the button!
>> It even send the "enter" at the end of the password!
> That pushbutton just triggers it to send the OTP, right?  It's not
> biometric based?

Exactly. Actually it isn't push-button but capacitive-button, so no
moving parts to break.

>> Just as a comparison, other OTP device I used where:
>> a) bulkier (one was like a small table calculator, a few others are
>> like a large car key)
>
> I have a number of customers who require the "large car key" variety and
> one that has the "calculator" variety.  They all seem to work fine.

They do. They have just less convenient workflow from me: possible PIN
to type on the device, then read the spit-out, then type it on the
keyboard, hoping not to be expired (and often the phone rings,
somebody shows up on the door, etc).
Yubi is type the fixed part of the password, then just plug and
"push". Much quicker to do, quicker than just typing a full strong
password (not so much to say, I know)
Like Vince said, if you do this once or twice a day, it doesn't
matter. If you do that dozens, it does.

>> d) some require the password to be copied from the device display to
>> the computer, on some you even have to be quick enough because the
>> password expires every few seconds!
>
> More like 20-30 seconds.  It's not THAT fast.

It has been an issue for me several times. Maybe different settings.

>> Ah, one last thing: in the default setting, the yubikey has the whole
>> OTP in it, which means if somebody gets it they just need to know your
>> username and they can access your machine. On our systems they
>> configured a "prefix" to the password, so I first type this prefix on
>> the keyboard, then the yubi "completes" the OTP. Somebody that gets
>> physical posses of the yubi needs to know your username and prefix
>> (basically a password) before they can make any use of it.
>
> All of my customers have always required the PIN on all of these
> devices.

The "prefix" solves this problem. Without it, the device is useless,
as far as I can tell. Requiring a PIN on the device only makes it
larger (for the need of the keyboard).

> Kinda silly overall, though... basically the move from passwords to keys
> just means that the bad guys have to get ahold of the key, and the
> easiest way to do that... is to get ahold of YOU.  A gun to your head,
> you'll hand over the key AND the PIN... and if it had biometrics, swipe
> your finger (or they'd cut it off and use it anyway)...

I don't see it this way. First, it's a more serious offense, and has
more serious risk (for the criminal) and harsher punishments in most
countries.
Second, somebody considering this option can do so regardless of your
auth method: a gun to your head just to ask the "too strong to be
guessed" password.
Third, if they have physical access, they'll probably install a
rootkit (or maybe a hw sniffer) on your machine and do a
man-in-the-middle.
Last, but not least, yubi must be based on some math algorithm that
might be broken, or might have bugs or anything (hell, it happened to
ssh in debian!) so that might be the preferred way of action for
somebody sitting in some tropical lawless heaven.

> Most networks and things the vast majority of us access, aren't worth
> much more than a strong password.
A problem is that a strong password shouldn't be "shared" among
different services. And most of us (for sure myself) use so many
services that's very, very hard to cope with that number of strong
passwords (or is it just me getting old and having troubles with
memory?)
Have you ever hated when a random useless website refuses your
weak-but-easy-to-remember-and-then-it's-just-a-comment-to-this-crappy-blog-so-who-cares
password and enforce you to create a strong one, which you'll forget
after 30 seconds and cannot comment anymore on that blog? (I'm not
saying that they should use OTP, I'm saying they should care if people
use weak password)

OTP is a great way of having a non-shared, enforced strong password
that's easy to remember.

What I do with the yubi have less (monetary) value than my third-hand
car, so the gun-to-my-head guy would rather want the larger key
instead - I guess this could be different for others.

Bye,
Dav