top | item 15044600

(no title)

cromantin | 8 years ago

I've been using Yubikey as my 2-nd factor password source for years. It's great. I would have even thrown away second factor if yubikey could have unlocked macos FileVault.

What's 2-nd factor password? Well, basically yubikey stores just long text string, and another, shorter string, is stored in my brain. When i login i enter short string, then press yubikey.

To steal my data you don't only need to steal yubikey but also get my part of the password from me.

discuss

jakob223|8 years ago

If you just use the yubikey to store passwords, though, then you're vulnerable to a https://en.wikipedia.org/wiki/Replay_attack .

kelnage|8 years ago

[-You would be correct if-] It seems you are correct when the protocol works as described in the parent comment.

[-But it so happens that the-] Of course in OTP mode, the YubiKey protocol protects against replay attacks by using a counter on the YubiKey. This (authenticated) counter value is included in the messages that are exchanged during the authentication - and hence any replays can be detected/ignored as the counter value will be less than or equal to the last received counter value.

Edit (deletions marked with [- -]): I had no idea people used modes other than OTP with their YubiKey...

cromantin|8 years ago

Yes, i am. I would've used one-time passwords but there is no way to incorporate brain-string to it.

I've used it way before there were good solutions for mac. And my main concen was to unlock my machine.

I've would've ditched it if only filevault could be unlocked with it :(

I may ditch this in favor of one-time passwords any way - support on mac is pretty good now and filevault will be secured with 9 symbols string.