[lug] GitHub+Yubico, FIDO U2F token discount

Davide Del Vento davide.del.vento at gmail.com
Mon Oct 5 14:31:06 MDT 2015


That wasn't what I was looking for, but it lead me to
https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-overview.html
which still isn't what I am looking for, but contained much more tech
details than anything I've seen before. I still have questions, and
the document demonstrates that this isn't as secure as I thought it
was, but it's still progress.
Thanks
Davide

On Mon, Oct 5, 2015 at 12:26 PM, Quentin Hartman <qhartman at gmail.com> wrote:
> This might be what you are looking for:
> https://fidoalliance.org/specifications/overview/
>
> On Mon, Oct 5, 2015 at 12:03 PM, Davide Del Vento
> <davide.del.vento at gmail.com> wrote:
>>
>> Hey Rich,
>>
>> The special github yubikeys are totally sold out, but there is 20% off
>> any regular yubikey. I'm familiar with the yubikey OTP, but I'm not
>> with this FIDO U2F. At first is sounded to me like it is just a really
>> long, second password that you don't have to type (like the OTP is the
>> first, equally long password, that you don't have to type and second,
>> it changes every time). But then it says something like "it performs
>> cryptographic functions triggered by a simple touch of the key [...]
>> required for login", which sounded OTP-like but based on an input
>> instead of an implicit sequence count. I could not find any decent
>> documentation about this, do you have any recommended readings? For
>> example, how is this input sent to the yubikey? What is it really
>> about? How can be that "you have an unlimited number of U2F
>> credentials on these YubiKeys that support the U2F protocol" as the
>> FAQ says?
>>
>> Thanks,
>> Davide
>>
>> On Sun, Oct 4, 2015 at 12:17 PM, Richard Johnson <rdump at river.com> wrote:
>> > If you participate in open source projects that use GitHub, or you're
>> > even a
>> > bit of a crypto geek, this is a cool opportunity for an inexpensive but
>> > quite durable [1] hardware 2nd factor.
>> >
>> >   https://www.yubico.com/github-special-offer/
>> >
>> >
>> > http://www.wired.com/2015/10/github-moves-past-password-make-open-source-secure/
>> >
>> > GitHub has announced they're supporting FIDO U2F as a 2nd factor on
>> > logins
>> > to their web service. It's working now via recent versions of
>> > Chromium/Chrome only, but Mozilla has an open feature issue for adding
>> > support.
>> >
>> > Even better, they have a serious discount ($5+$5 shipping) on Yubico's
>> > otherwise $18 FIDO U2F-only USB tokens (complete with OctoCat logo so
>> > you
>> > can tell them apart ;) ). They'll be usable on GitHub and increasingly
>> > widely beyond.
>> >
>> > While I'm still wanting a fully open source s/w + h/w implementation of
>> > FIDO
>> > U2F on a secure base (Nitrokey, eventually?), this will do for now. $5
>> > is in
>> > "might as well get some to experiment with" range for me.
>> >
>> >
>> > Rich
>> >
>> > -------
>> > [1] I once found a lost basic Yubikey after it had spent 3 weeks
>> > freezing
>> > every night in a puddle of muddy snowmelt. It still works fine. These
>> > Yubico
>> > FIDO U2F models have the same construction.
>> > _______________________________________________
>> > Web Page:  http://lug.boulder.co.us
>> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> > Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety


More information about the LUG mailing list