[lug] GitHub+Yubico, FIDO U2F token discount

Quentin Hartman qhartman at gmail.com
Mon Oct 5 14:49:25 MDT 2015


I haven't yet read that doc in detail since I'm at work, but where do you
think the security is lacking?

On Mon, Oct 5, 2015 at 2:31 PM, Davide Del Vento <davide.del.vento at gmail.com
> wrote:

> That wasn't what I was looking for, but it lead me to
>
> https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-overview.html
> which still isn't what I am looking for, but contained much more tech
> details than anything I've seen before. I still have questions, and
> the document demonstrates that this isn't as secure as I thought it
> was, but it's still progress.
> Thanks
> Davide
>
> On Mon, Oct 5, 2015 at 12:26 PM, Quentin Hartman <qhartman at gmail.com>
> wrote:
> > This might be what you are looking for:
> > https://fidoalliance.org/specifications/overview/
> >
> > On Mon, Oct 5, 2015 at 12:03 PM, Davide Del Vento
> > <davide.del.vento at gmail.com> wrote:
> >>
> >> Hey Rich,
> >>
> >> The special github yubikeys are totally sold out, but there is 20% off
> >> any regular yubikey. I'm familiar with the yubikey OTP, but I'm not
> >> with this FIDO U2F. At first is sounded to me like it is just a really
> >> long, second password that you don't have to type (like the OTP is the
> >> first, equally long password, that you don't have to type and second,
> >> it changes every time). But then it says something like "it performs
> >> cryptographic functions triggered by a simple touch of the key [...]
> >> required for login", which sounded OTP-like but based on an input
> >> instead of an implicit sequence count. I could not find any decent
> >> documentation about this, do you have any recommended readings? For
> >> example, how is this input sent to the yubikey? What is it really
> >> about? How can be that "you have an unlimited number of U2F
> >> credentials on these YubiKeys that support the U2F protocol" as the
> >> FAQ says?
> >>
> >> Thanks,
> >> Davide
> >>
> >> On Sun, Oct 4, 2015 at 12:17 PM, Richard Johnson <rdump at river.com>
> wrote:
> >> > If you participate in open source projects that use GitHub, or you're
> >> > even a
> >> > bit of a crypto geek, this is a cool opportunity for an inexpensive
> but
> >> > quite durable [1] hardware 2nd factor.
> >> >
> >> >   https://www.yubico.com/github-special-offer/
> >> >
> >> >
> >> >
> http://www.wired.com/2015/10/github-moves-past-password-make-open-source-secure/
> >> >
> >> > GitHub has announced they're supporting FIDO U2F as a 2nd factor on
> >> > logins
> >> > to their web service. It's working now via recent versions of
> >> > Chromium/Chrome only, but Mozilla has an open feature issue for adding
> >> > support.
> >> >
> >> > Even better, they have a serious discount ($5+$5 shipping) on Yubico's
> >> > otherwise $18 FIDO U2F-only USB tokens (complete with OctoCat logo so
> >> > you
> >> > can tell them apart ;) ). They'll be usable on GitHub and increasingly
> >> > widely beyond.
> >> >
> >> > While I'm still wanting a fully open source s/w + h/w implementation
> of
> >> > FIDO
> >> > U2F on a secure base (Nitrokey, eventually?), this will do for now. $5
> >> > is in
> >> > "might as well get some to experiment with" range for me.
> >> >
> >> >
> >> > Rich
> >> >
> >> > -------
> >> > [1] I once found a lost basic Yubikey after it had spent 3 weeks
> >> > freezing
> >> > every night in a puddle of muddy snowmelt. It still works fine. These
> >> > Yubico
> >> > FIDO U2F models have the same construction.
> >> > _______________________________________________
> >> > Web Page:  http://lug.boulder.co.us
> >> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >> > Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety
> >> _______________________________________________
> >> Web Page:  http://lug.boulder.co.us
> >> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >> Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety
> >
> >
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20151005/4c523662/attachment.html>


More information about the LUG mailing list