[lug] GitHub+Yubico, FIDO U2F token discount

Davide Del Vento davide.del.vento at gmail.com
Mon Oct 5 12:03:52 MDT 2015 

Hey Rich,

The special github yubikeys are totally sold out, but there is 20% off
any regular yubikey. I'm familiar with the yubikey OTP, but I'm not
with this FIDO U2F. At first is sounded to me like it is just a really
long, second password that you don't have to type (like the OTP is the
first, equally long password, that you don't have to type and second,
it changes every time). But then it says something like "it performs
cryptographic functions triggered by a simple touch of the key [...]
required for login", which sounded OTP-like but based on an input
instead of an implicit sequence count. I could not find any decent
documentation about this, do you have any recommended readings? For
example, how is this input sent to the yubikey? What is it really
about? How can be that "you have an unlimited number of U2F
credentials on these YubiKeys that support the U2F protocol" as the
FAQ says?

Thanks,
Davide

On Sun, Oct 4, 2015 at 12:17 PM, Richard Johnson <rdump at river.com> wrote:
> If you participate in open source projects that use GitHub, or you're even a
> bit of a crypto geek, this is a cool opportunity for an inexpensive but
> quite durable [1] hardware 2nd factor.
>
>   https://www.yubico.com/github-special-offer/
>
> http://www.wired.com/2015/10/github-moves-past-password-make-open-source-secure/
>
> GitHub has announced they're supporting FIDO U2F as a 2nd factor on logins
> to their web service. It's working now via recent versions of
> Chromium/Chrome only, but Mozilla has an open feature issue for adding
> support.
>
> Even better, they have a serious discount ($5+$5 shipping) on Yubico's
> otherwise $18 FIDO U2F-only USB tokens (complete with OctoCat logo so you
> can tell them apart ;) ). They'll be usable on GitHub and increasingly
> widely beyond.
>
> While I'm still wanting a fully open source s/w + h/w implementation of FIDO
> U2F on a secure base (Nitrokey, eventually?), this will do for now. $5 is in
> "might as well get some to experiment with" range for me.
>
>
> Rich
>
> -------
> [1] I once found a lost basic Yubikey after it had spent 3 weeks freezing
> every night in a puddle of muddy snowmelt. It still works fine. These Yubico
> FIDO U2F models have the same construction.
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety

More information about the LUG mailing list