Yubikey with USB-C

Are there USB-C to, uh, "normal" USB adapters out? You know, that go the OTHER way?

I'd hate to not be able to use the USB-C Yubikey with my desktop, my keyboard port, my hubs, etc. Seems easier to just use the normal Yubikey plus a dongle for the few machines that support USB-C.

I really, Really, REALLY love my nano and can't wait for a USB-C version. Actually, that is one of the things that would make me not want a new MBP.

I like the form factor, but as a second factor it sucks. Effectively your computer becomes the second factor, and it's much more likely that your laptop (with the Nano plugged in it) is stolen, than a keychain with a bigger Neo.

It's acceptable if you only use it for OTP, but I can't get myself to put GPG private keys on a Yubikey Nano...

> But what happens when you lose that security token?

Pretty simple: you use your backup key to revoke the lost key. This is possible with e.g. Lastpass and Google. Of course, if the attacker logs in before you revoke the key, you are hosed, but the same would be true in your car analogy.

> i.e. "Honey! I can't find the car keys, have you seen them?"

With car keys, too, you have a backup key. Arguably, the physical car keys are easier to copy.

> I would be in favor of an implantable RFID chip or whatever 'better' tech comes around.

Nothing new, see this article from 2004 [1]. As you can read in the article, its first headline was even in 2001 (to put in perspective this is 15 to 16 years ago). Company's name is VeriChip.

The problem is that the signal can be intercepted (AFAIK it doesn't use a form of OTP), and the key cannot be easily replaced/revoked. A YubiKey doesn't suffer from this issue. The issue a YubiKey has is that it can be easier lost than an implant.

The YubiKey Neo ('large' version, not the 'laptop' version) supports NFC.

> We desperately need _BETTER_ 2FA.

Why? How?

[1] http://www.wnd.com/2004/04/24179/

Not disagreeing with your comment, but what do biometrics have to do with this article? I don't think Yubico does anything with biometrics, and these devices definitely don't have any such capability.

Moreover, U2F already is awesome 2FA (better than _BETTER_). Fast and unphishable. Buy a few of these, keep one on your keychain, one on your desk at home, and a backup locked in your safe, and you're all set.

We use the USB-A version of these things extensively at my company, and they're unbelievably convenient.

We don't need better 2FA, we need better 1FA. Biometrics are not the answer for that either, but rather new protocols that are independend of the mechanism you use.

That exactly what the FIDO protocols are trying to do.

You can use you shitty local fingerprint sensor as a authenticator but you will still get better security agains everything exept if somebody steals your phone.

Phising is the biggest problem, it needs to be solved. We can do it in the first or the second factor. People either need to move to U2F or they need to move UAF on the first factor.

This is really the only hope.

Practically speaking, I've been using a yubikey plugged permanently into my laptop for many years, and it works fine. I use it to authenticate to my work VPN (with a password as second factor).

The only downsides are: one fewer USB port, and the green light on the yubikey which is permanently lit.

Indeed it is always important when considering security, to look at the other side and balance the risk of someone else gaining unauthorised access with you possibly losing access forever. Everyone wants "unbreakable" encryption, but unfortunately it seems very few consider the possibility of themselves losing the key --- perhaps it is because locks in the physical world are not quite as strong as good data encryption, and can be easily overcome with locksmiths and the like.

> But what happens when you lose that security token?

It's really not that big of a problem, at least in the "paranoid nerd" context. Just have backup keys that your users can print out and keep in a safe place. Or have more than one U2F device - most implementations I'm aware of allow users to register more than one device.

Of course, for most applications, there'd still be the usual support backdoor. That's definitely a problem not quite as easy to solve.

> I would be in favor of an implantable RFID chip or whatever 'better' tech comes around.

Like a vivokey? http://vivokey.com/learn-more.html

Moi? I'd rather buy ten passive backup keys than implant an RFID key that puts out a signal that never turns off. At that point you're robbing Peter of pay...Well...Um...Big Brother.

Yeah, it's basically a smart card you can use with a bunch of popular sites like Google, GitHub, Dropbox, etc. (See http://www.dongleauth.info/ for a more extensive list.) Based on an open standard (FIDO U2F). Some versions also support storing PGP keys and the like.

I invite to take a look at the just released Yubikey Handbook (https://github.com/ruimarinho/yubikey-handbook), an open source book on the many different Yubikey use cases and stories.

Everyone of us has asked that question before :)

Open to contributions as well!

It has two modes. If you short press it, it will generate a one time password. A long press will output a static password. Both modes can be configured optionally.

>What is a Yubikey

A yubikey 4 or Neo has 2 slots which can be configured for about 5 different things. OTP, challenge response, static password, and some other things I can't remember right now. It also has 3 slots for a PGP private key, signing key, and encryption key. It also has 4 PIV slots to use as smart card key storage for authentication (ssh), code signing, and other things I can't remember. Then there are additional PIV slots to hold expired keys you might want to keep around for some reason?

It has quite a lot of functionality for a little device. The main difference between Neo and 4 is Neo has NFC, where 4 supports 4096 pgp keys. 4 is the newer one, but nothing new has NFC yet.

I use it with luks for full disk encryption, ssh, and to store my pgp key for QTPass/Android Password Store. QTPass + passff extension for firefox is nice.

I haven't set it up as a 2FA for sudo yet, but that's possible also. I don't plan to use it for PGP encrypted email for the same reasons described here.

https://blog.filippo.io/giving-up-on-long-term-pgp/

Have you tried to setup a Yubikey with RSA-keys and click-to-sign? It's things you expect "just to work", but the tooling around the Yubikey sucks big time and thats what holding them back. It's a shame though cause they make really good hardware.

Their strategy has been to gain tracktion through the major tech players. Think it's time for Stina to realize they cannot ignore the rest of us if they want to make it big.

They are working on Bluetooth LE version. Should make it possible.

But its really all the fault of apple stupid NFC police, not some other issue.

Now that iOS supports USB keyboards, it might work. Not sure why I haven't tried it since that came out, but I'll give it a shot and report back.

NFC? AIUI, they can't support it until Apple does.

Exactly my thoughts. Finally a yubikey I don't have to worry about breaking. Admittedly, I've never broke one, but I still live in fear of doing so.

I'm surprised folks like the Neo though. I rarely use mine anymore as I kept accidentally triggering it when I carried my laptop to meetings.

If you need to move a USB port from here to there, you don't need a hub, just an extension cord: https://www.amazon.com/Extension-TUSITA-Devices-Connector-Ex...

Not a new problem for USB-C, of course.

I have a less durable, cheaper U2F key, which is sort of the opposite of what you were asking for. I actually don't know of anything that's more durable... the yubikeys that fit inside a USB A port are pretty damn durable.

I have four Yubikeys (three of the "4" variant, one of the nano) and all of them are extremely durable. You'd have to purposefully try to damage one for anything to happen to it.

I've had mine for close to a year now, and for a while it was on my keychain daily. It has held up well!

Yubikeys actually seem pretty durable; that seems to be the gist of the opinions I've read on their durability. A piece of anecdotal evidence; I am carrying an older model Yubikey on my keyring, and it is holding up pretty well (almost two years now).

They certainly don't come across as flimsy.

I have had a yubikey neo on my keychain for almost 4 years now. It is thin plastic and seemed like it might not hold up this long, but it has been going strong. I think they have changed designs to make it smaller since (which would be stronger). They do make solid products.

That said, I would rather use Google Authenticate (TOTP) for two factor. Getting my phone out is a regular thing. Getting the yubikey out and plugging it in seems more of a hassle. Passpack is the only thing I have to use the yubikey for -- would be happy if they provided TOTP. Spending $40 for two factor these days is kind of ridiculous.

I've worn out multiple USB extension cables with my Yubikey, but the device itself is still going strong.

I have a Nitrokey Pro in addition to my YubiKey 4. I love that it's got a much more open design and am happy to support the company for that reason, but its enclosure looks like a reasonably good generic USB key. Going only by tactile feel, I expect the Yubikey to outlast it.

I've had a YubiKey on my keychain for over a year and a half and it's held up very well. It looks quite beat up due to being in my pocket, rubbing on other keys, and so on but it works perfectly.

I have a regular Yubikey 4 - it looks like flimsy plastic but it's surprisingly strong. I can't snap it in half even with full force, doesn't even seem to bend.