I'd like to try to answer some common questions I see here:
- Q: Doesn't passwordless mean single factor? Isn't that insecure?
A: It could mean single- or two-factor. FIDO2 and the new YubiKeys support an on-device PIN that isn't shared with the server, like conventional smart cards. This allows the key to act as both "something you have" (the key itself) and "something you know" (the PIN for the key). The PIN is optional, though, so both the single factor and two factor use cases are possible.
- Q: Is this Azure/Windows/AD only?
A: This post highlights the partnership with Microsoft and the integration with their products, but FIDO2 is not Microsoft-only (and Yubico will not be the only key vendor). CTAP2, once finished, will be published as an open standard like U2F, and the accompanying Web Authentication API [1] (WIP) is an OS-agnostic W3C standard enabling the same features in browsers.
A: For passwordless (PIN) login, yes. However, existing YubiKeys with U2F support will be usable as a 2nd factor in Web Authentication, and sites that currently use U2F can upgrade to using the Web Authentication API without needing their users to re-enroll their keys.
Full disclosure: I'm a Yubico engineer and one of the editors of the Web Authentication spec.
What's the deal with lost yubikey user workflow? Rely on individual websites to give you a one-time recovery passcode that you then have to input into every website? I can't believe I'm taking UX cues from cryptocurrencies, but what about providing the user with a seed for the yubikey private key they can back-up offline then reinstall in a new yubikey?
P.S. just ordered a yubikey security key, excited to add this additional layer to my own personal byzantine security labyrinth. Or maybe simplify it, who knows!
> A: It could mean single- or two-factor. FIDO2 and the new YubiKeys support an on-device PIN that isn't shared with the server, like conventional smart cards. This allows the key to act as both "something you have" (the key itself) and "something you know" (the PIN for the key). The PIN is optional, though, so both the single factor and two factor use cases are possible.
No, since passwordless login is available, the lowest denominator applies: single factor. Despite all your efforts it will most likely be possible to perform a passwordless login even when password is required in a few years (as these things get broken). The something you know is useless, as it can be ignored. And because it can, it will. Either by force, by negligence or by laziness.
A PIN is really a numeric password. It has all the same flaws - compromise risk (say via social engineering) and the risk of forgetting and needing it reset.
So the ‘passwordless’ option here is either rename the password to PIN or eliminate it to provide single-factor login. The latter is a dream for smart attackers, since there is always some social engineering route they can use to acquire a legit token.
I wasted so much time and energy on implementing U2F for a web application, writing server side lib and making the javascript framework compatible with the horrible js-hack that's available for U2F support.
It was all in vein; the browser support is still horrible, no one want to use it and it's not possible to use on mobile. How can you make a security solution that doesn't work on mobile?
Making a new "Web Auth" standard is a huge mistake, and I will not fall into that trap again.
Do you have any information when any major websites will (may?) support U2F in Firefox? Google, FB etc. Is there some issue with Firefox U2F implementation maybe? Thanks.
Do you have any plans to release server code (I'm mainly concerned about PHP) for CTAP2/WebAuthn support? I really appreciated having access to a reference implementation to handle the data from the client for U2F. CTAP2 looks significantly more complex, and I'm somewhat worried about complexity of implementing it correctly based on the spec.
> Q: Doesn't passwordless mean single factor? Isn't that insecure?
> A: It could mean single- or two-factor. FIDO2 and the new YubiKeys support an on-device PIN that isn't shared with the server, like conventional smart cards. This allows the key to act as both "something you have" (the key itself) and "something you know"
If "something you know" is physically stored on "something you have", doesn't this make "something you know" completely moot?. Please explain how this doesn't simply reduce to "something you have". In other words, if someone steals your Yubikey, can they login as you without knowing anything additional?
The conversation here is blowing my mind. People are actually worried that their yubikey might get lost or stolen when likely most of your passwords are already all over the internet. I got an email from Twitter just a few days ago stating that they'd leaked my password. Twitter! Not Joe's Auto-Body who's website is being run by a high-schooler, but one of the pioneers of internet companies. They messed up. Your password is not safer "in your head" than a private key because it is not only in your head (who keeps all passwords in their head anymore anyway?)
Private keys are way, way more secure than passwords for that reason alone. You don't have to give anything secret to a third party.
If that's the one problem this solves and revocation and recovery and 2-factor are all still as difficult and broken as they are now with passwords that's still a huge win.
EDIT: more thoughts. I also really hope that hardware tokens like a yubikey are not required for every site or app. I'd like to be able to keep private keys on my phone or laptop for some things (how many of us keep our ssh keys exclusively on hardware tokens?).
Still reading the comments, but is anyone actually saying passwords are more secure in general? I think most people are saying that they get locked out of their account if they lose the token. How do you validate your account is your account if the only secret you have is lost? If you 100% require a hardware token, you need at least two and/or a method to auth that is not a hardware token so you can recover in a mode where you lost one.
But on the security note. There are several types of security. Security from the people directly around you and security from everyone on the internet.
Without any malware, I could pickup my friends keys and log into their account on my computer in seconds and without their knowledge. This is harder to do with a password. At the same time a password is much easier for someone who doesn't even know who I am to attack.
It's why 2FA is so necessary, it helps defend against both methods of attack.
It’s why I told my parents to pick random passwords and write them all down in a notebook that they keep next to their computer. My way, they’re only stealable by their housekeeper or a burglar. If they needed to remember the passwords, they’d be vulnerable to 100 million script kiddies with rainbow tables.
As a security person, would I be happier if everyone switched from password+email to FIDO+email? Certainly.
But FIDO has more competition than that. Since it's not backwards compatible with most existing systems, we have to choose which new protocols to support: passwordless, ssh-like keys, certificates, SQRL, etc. There's limited trust and resources to go around.
> I got an email from Twitter just a few days ago stating that they'd leaked my password
Clearly you didn't read the email.
The password was potentially logged to twitter's servers in plaintext.
They have no evidence anyone collected those passwords, but various employees could, in theory, have seen those logs.
Presumably those logs are now all deleted.
Even if you didn't reset your twitter password, it's very likely you'd be fine since it's not "leaked" (to the wider internet), but could have been seen by some employees who, for fear of being fired, no doubt did not save it (and in all likelyhood didn't see it in the first place).
>I also really hope that hardware tokens like a yubikey are not required for every site or app. I'd like to be able to keep private keys on my phone or laptop for some things
Web Authentication supports this with what's called "platform authenticators" - some kind of TPM/secure enclave etc. built into the computer (most likely a laptop/phone), possibly integrated with a fingerprint scanner. The expectation is that sites will let you register more than one credential (like many (most?) do for U2F), so you can have a keyring device for initial logins on new computers (or for logging in on a friend's computer) and then use a platform credential on each for most daily use. Intel's built-in U2F thing is something to this effect, and might be compatible.
It's also theoretically possible that a phone could expose its platform authenticator to other computers via Bluetooth/NFC/USB, but that's still hypothetical at this point.
so basically to defend against password hacking they want to use FIDO/yubikeys.
Too bad if something like twitter happens your yubikey is probably useless after it would've prolly logged anything to their servers.
P.S.: it's possible to change passwords, but hardware keys need to be destroyed and changed.
Also Yubikeys can also have bugs. https://www.yubico.com/2017/10/infineon-rsa-key-generation-i...
So basically it's not more secure. even worse the more code you throw at a problem the more likely it is to be unsecure.
Did they improve the stories for recovery ("I lost my device") and revocation ("my device has been stolen")? As far as I knew you had to buy 2 devices to have a chance of recovery, and Fido 1 explicitly said "revocation is something that needs to be resolved by each website that authenticates users", which is just asking for trouble.
I would love to have a hardware (or even phone-based) alternative to passwords, with no third-party and better privacy, but I feel like this solution only handles the happy path.
For an example of a happy-path-only system that makes me nervous, look at Google Authenticator. Recovery is made with backup codes, but they are also "resolved by each website" (https://security.stackexchange.com/questions/167563/where-to...), which often means no support at all. Not to mention having to create a new backup after creating a new account. I still use Google Authenticator myself, but I dread the day I lose my phone.
If the protocol doesn't handle recovery/authentication, the fallback is a trusted third party (e.g. email) or legal identity (e.g. scanned passport). Aside from being a huge hassle and creating a weak point, it weakens the user's privacy.
Correct me if I am wrong, but passwordless login is a single-factor authentication and less secure than MFA. Depending on whenever hardware key is more or less secure than the password, the mass adoption of this could make things LESS secure.
> passwordless login is a single-factor authentication and less secure than MFA
If you go from MFA to fido2, maybe. If you go from single-factor password, to single-factor fido2 - it's likely security will improve. A lot.
> Depending on whenever hardware key is more or less secure than the password
It is:
A password can be sniffed, filmed, inferred from sound recording.
You don't know when someone knows your password; a key will be missing (or copied, but that's supposed to be Very Difficult (tm)).
A password is unlikely to encode as much entropy; certainly any password/phrase you actually type in. 128+ bits of entropy is surprisingly hard to encode in a manageable size (it's 16 completely random binary bytes).
Now, if the assumption is that the alternative is a ssh key locked on a device, additionally protected by a pin... Maybe The fido2 is slightly less secure.
But if you try and list the failure modes / do some threat modelling ; I think you'll see it ends up a close race.
It would certainly pair well with "something you know" - eg a pin/password with somehow proper rate-limiting.
I would expect things to be more secure in many cases. People are pretty good at keeping physical items somewhat safe and notice when they’re gone. Yubikeys cannot easily be cloned. The password cannot be attacked remotely. 2FA is certainly safer, though.
Single Factor: This only requires possession of the security Key to log in, allowing for a passwordless tap-and-go experience.
Second-Factor: In a two-factor authentication scenario, such as the current Google and Facebook FIDO U2F implementations, the Security Key by Yubico is used as a strong second factor along with a username and password.
Multi-Factor: This allows the use of the Security Key by Yubico with an additional factor such as a PIN (instead of a password), to meet the high-assurance requirements of operations like financial transactions, or submitting a prescription.
I think best practice will be that you can login with single-factor and see basic stuff but if you want to do anything more critical like money related or changing email depending from context you are forced to use two-factor.
Also if it's at least approximately to password security this is very welcome options. Most services I use I just want access easily.
That is confirmed in the "How does this work?" section. Your concern is addressed in the "Why is this important?" section. The key is definitely more secure against cracking than a password. It is more vulnerable to being physically stolen, but for most people, that is a lower risk.
For example if you have good physical security and limit passwordless login to physically secure machines via AD computer groups, this may protect you from remote attackers.
If however organizations allow the use of this over the internet from "any" endpoint then this completely replaces a password 1:1 and theft/loss of the Yubikey could be a major problem.
This could also be used only on a single layer of your security. For example passwordless VPN authentication but then a password/2F is required for actual user login.
FIDO2 passwordless login can use a device-local PIN as a second factor, like a conventional smart card. The hardware key then acts as both first and second factor.
Yes, sure, you could use pam-u2f, but that will never be as seamless as having it supported upstream in ssh.
Or you could use the OTP mode instead, but that has other disadvantages (you have to depend on yubico's servers or run your own KSM+validation servers).
Would be interesting if this would become popular one downside I see to this is that if law enforcement get their hands on your token they can unlock the device.
Also as the token can be regarded as a key rather than a password a court would be able to legally compel you to surrender it without invoking much debate regarding laws against self incrimination (e.g. the fifth).
So my biggest question here is: Is this Azure only? Each announcement about it seems to indicate that I might not be able to use this key with my local account PC.
Specifically, I have one use case computer where I have no screen, and getting through Windows login without it can be troublesome. I'd love to use this key to unlock it instead, but it's an offline machine.
I had this plan with Yubikey for Windows Hello, which has been out a while, and I bought a Yubikey, and discovered it could only unlock my Windows machine if it was locked (not logged out), which defeated the purpose entirely.
Two things - is there really need for them to be this large? They also look vulnerable? Maybe its just the look, but the blue one looks like it won't survive proper stress test...
And second thing - is exposing connector safe against mechanical damage? Will it withstand constantly being scratched by keys?
Glad to see greater adoption of Yubikeys, however there is still a long way to go. Speaking from experience writing a u2f_auth client library, browser support is still nascent and hacky. Edge, safari, and AWS would need to adopt it before I would truly consider it mainstream.
If anyone is considering adopting Yubikeys in their organization using a language that is not supported by one of their client libraries my email is in my profile and I would glad to help out to the best of my ability.
I wonder if these Hardware key really make things better for the end-user.
When using it even for login, people connect it to their laptops - that's what most people work with after all - and they must make sure they don't forget it there. As well they need to worry nobody steals it, whether it's on your laptop or you become a theft victim on the street. In the latter case the thieves might know what a Yubikey is and ask you for the pin.
Not sure what problem this solves. But I have the impression we're converting a virtual problem into a physical problem. To be honest I prefer to save keys on laptop drives, that's more difficult to steal, especially when using an encrypted disk.
No USB-C version and no way to upgrade my other 4+ YubiKeys I've got for more than $50 each! I think YubiKey has been abusing its monopoly recently! They've been working on this for quite some time and clearly new they're not going to make their old premium keys support it so that people can waste time and money to upgrade! Is there an alternative more conscious company - I'd pay even $200 for the piece of mind that I won't have to change this key 1-2 times per year!
P.S. Obviously, no. Neither Nitrokey [0] supports it, nor it's a sturdy one!
My problem is that Microsoft doesn't allow swapping in and out of authentication plugins like PAM.
I work primarily in a Windows shop, and I got the other co-workers in Linux because PAM supports seamless multi-factor auth. I would have went Windows, but its too obfuscated or hard to do that.
LinOTP works very well. And LinOTP works with a wide variety of tokens. Don't be locked to a single vendor.
What I'd find interesting is using U2F (or FIDO2, which seems to be an evolution of this) as a second factor for SSH logins. But that doesn't seem possible without changes to SSH itself.
And I hope that this might trigger more widespread support for U2F and similar mechanisms in browsers and websites.
Good. After all the roundabout bullshit of "factors" ("2FA") and password managers, people have finally come to their senses that physical tokens are a very natural evolution of analog keys and the only real security, and should have been used from the get-go.
Microsoft could have team up with Logitech like Sony with Erricson, and come up with a standard and put (mildly cheap) finger print reader on each sold keyboard and popularize open source standard for software implementation.
[+] [-] emlun|8 years ago|reply
- Q: Doesn't passwordless mean single factor? Isn't that insecure?
A: It could mean single- or two-factor. FIDO2 and the new YubiKeys support an on-device PIN that isn't shared with the server, like conventional smart cards. This allows the key to act as both "something you have" (the key itself) and "something you know" (the PIN for the key). The PIN is optional, though, so both the single factor and two factor use cases are possible.
- Q: Is this Azure/Windows/AD only?
A: This post highlights the partnership with Microsoft and the integration with their products, but FIDO2 is not Microsoft-only (and Yubico will not be the only key vendor). CTAP2, once finished, will be published as an open standard like U2F, and the accompanying Web Authentication API [1] (WIP) is an OS-agnostic W3C standard enabling the same features in browsers.
[1]: https://www.w3.org/TR/webauthn/
- Q: Will I need a new YubiKey?
A: For passwordless (PIN) login, yes. However, existing YubiKeys with U2F support will be usable as a 2nd factor in Web Authentication, and sites that currently use U2F can upgrade to using the Web Authentication API without needing their users to re-enroll their keys.
Full disclosure: I'm a Yubico engineer and one of the editors of the Web Authentication spec.
[+] [-] ahelwer|8 years ago|reply
P.S. just ordered a yubikey security key, excited to add this additional layer to my own personal byzantine security labyrinth. Or maybe simplify it, who knows!
[+] [-] consp|8 years ago|reply
No, since passwordless login is available, the lowest denominator applies: single factor. Despite all your efforts it will most likely be possible to perform a passwordless login even when password is required in a few years (as these things get broken). The something you know is useless, as it can be ignored. And because it can, it will. Either by force, by negligence or by laziness.
[+] [-] not_that_noob|8 years ago|reply
So the ‘passwordless’ option here is either rename the password to PIN or eliminate it to provide single-factor login. The latter is a dream for smart attackers, since there is always some social engineering route they can use to acquire a legit token.
[+] [-] teknopaul|8 years ago|reply
[+] [-] polack|8 years ago|reply
It was all in vein; the browser support is still horrible, no one want to use it and it's not possible to use on mobile. How can you make a security solution that doesn't work on mobile?
Making a new "Web Auth" standard is a huge mistake, and I will not fall into that trap again.
[+] [-] Yizahi|8 years ago|reply
[+] [-] francislavoie|8 years ago|reply
[+] [-] asaph|8 years ago|reply
> A: It could mean single- or two-factor. FIDO2 and the new YubiKeys support an on-device PIN that isn't shared with the server, like conventional smart cards. This allows the key to act as both "something you have" (the key itself) and "something you know"
If "something you know" is physically stored on "something you have", doesn't this make "something you know" completely moot?. Please explain how this doesn't simply reduce to "something you have". In other words, if someone steals your Yubikey, can they login as you without knowing anything additional?
[+] [-] parent5446|8 years ago|reply
[+] [-] datalog19908|8 years ago|reply
Doesn't this PIN become a master password for all the websites at that point?
[+] [-] krupan|8 years ago|reply
Private keys are way, way more secure than passwords for that reason alone. You don't have to give anything secret to a third party.
If that's the one problem this solves and revocation and recovery and 2-factor are all still as difficult and broken as they are now with passwords that's still a huge win.
EDIT: more thoughts. I also really hope that hardware tokens like a yubikey are not required for every site or app. I'd like to be able to keep private keys on my phone or laptop for some things (how many of us keep our ssh keys exclusively on hardware tokens?).
[+] [-] georgyo|8 years ago|reply
But on the security note. There are several types of security. Security from the people directly around you and security from everyone on the internet.
Without any malware, I could pickup my friends keys and log into their account on my computer in seconds and without their knowledge. This is harder to do with a password. At the same time a password is much easier for someone who doesn't even know who I am to attack.
It's why 2FA is so necessary, it helps defend against both methods of attack.
[+] [-] ggg9990|8 years ago|reply
[+] [-] BoppreH|8 years ago|reply
But FIDO has more competition than that. Since it's not backwards compatible with most existing systems, we have to choose which new protocols to support: passwordless, ssh-like keys, certificates, SQRL, etc. There's limited trust and resources to go around.
[+] [-] adrianN|8 years ago|reply
[+] [-] TheDong|8 years ago|reply
Clearly you didn't read the email.
The password was potentially logged to twitter's servers in plaintext.
They have no evidence anyone collected those passwords, but various employees could, in theory, have seen those logs.
Presumably those logs are now all deleted.
Even if you didn't reset your twitter password, it's very likely you'd be fine since it's not "leaked" (to the wider internet), but could have been seen by some employees who, for fear of being fired, no doubt did not save it (and in all likelyhood didn't see it in the first place).
[+] [-] emlun|8 years ago|reply
Web Authentication supports this with what's called "platform authenticators" - some kind of TPM/secure enclave etc. built into the computer (most likely a laptop/phone), possibly integrated with a fingerprint scanner. The expectation is that sites will let you register more than one credential (like many (most?) do for U2F), so you can have a keyring device for initial logins on new computers (or for logging in on a friend's computer) and then use a platform credential on each for most daily use. Intel's built-in U2F thing is something to this effect, and might be compatible.
It's also theoretically possible that a phone could expose its platform authenticator to other computers via Bluetooth/NFC/USB, but that's still hypothetical at this point.
[+] [-] lerie82|8 years ago|reply
[deleted]
[+] [-] merb|8 years ago|reply
Too bad if something like twitter happens your yubikey is probably useless after it would've prolly logged anything to their servers.
P.S.: it's possible to change passwords, but hardware keys need to be destroyed and changed. Also Yubikeys can also have bugs. https://www.yubico.com/2017/10/infineon-rsa-key-generation-i... So basically it's not more secure. even worse the more code you throw at a problem the more likely it is to be unsecure.
[+] [-] BoppreH|8 years ago|reply
I would love to have a hardware (or even phone-based) alternative to passwords, with no third-party and better privacy, but I feel like this solution only handles the happy path.
For an example of a happy-path-only system that makes me nervous, look at Google Authenticator. Recovery is made with backup codes, but they are also "resolved by each website" (https://security.stackexchange.com/questions/167563/where-to...), which often means no support at all. Not to mention having to create a new backup after creating a new account. I still use Google Authenticator myself, but I dread the day I lose my phone.
If the protocol doesn't handle recovery/authentication, the fallback is a trusted third party (e.g. email) or legal identity (e.g. scanned passport). Aside from being a huge hassle and creating a weak point, it weakens the user's privacy.
[+] [-] djrogers|8 years ago|reply
[+] [-] vzaliva|8 years ago|reply
[+] [-] e12e|8 years ago|reply
If you go from MFA to fido2, maybe. If you go from single-factor password, to single-factor fido2 - it's likely security will improve. A lot.
> Depending on whenever hardware key is more or less secure than the password
It is:
A password can be sniffed, filmed, inferred from sound recording.
You don't know when someone knows your password; a key will be missing (or copied, but that's supposed to be Very Difficult (tm)).
A password is unlikely to encode as much entropy; certainly any password/phrase you actually type in. 128+ bits of entropy is surprisingly hard to encode in a manageable size (it's 16 completely random binary bytes).
Now, if the assumption is that the alternative is a ssh key locked on a device, additionally protected by a pin... Maybe The fido2 is slightly less secure.
But if you try and list the failure modes / do some threat modelling ; I think you'll see it ends up a close race.
It would certainly pair well with "something you know" - eg a pin/password with somehow proper rate-limiting.
[+] [-] Xylakant|8 years ago|reply
[+] [-] Analemma_|8 years ago|reply
FIDO2 adds more options to the login process:
Single Factor: This only requires possession of the security Key to log in, allowing for a passwordless tap-and-go experience.
Second-Factor: In a two-factor authentication scenario, such as the current Google and Facebook FIDO U2F implementations, the Security Key by Yubico is used as a strong second factor along with a username and password.
Multi-Factor: This allows the use of the Security Key by Yubico with an additional factor such as a PIN (instead of a password), to meet the high-assurance requirements of operations like financial transactions, or submitting a prescription.
It's an option, not a requirement.
[+] [-] Risord|8 years ago|reply
Also if it's at least approximately to password security this is very welcome options. Most services I use I just want access easily.
[+] [-] newnewpdro|8 years ago|reply
This is a big part of why you always want one of your factors to be something you know.
[1] https://en.wikipedia.org/wiki/Fifth_Amendment_to_the_United_...
[+] [-] sp332|8 years ago|reply
[+] [-] Someone1234|8 years ago|reply
For example if you have good physical security and limit passwordless login to physically secure machines via AD computer groups, this may protect you from remote attackers.
If however organizations allow the use of this over the internet from "any" endpoint then this completely replaces a password 1:1 and theft/loss of the Yubikey could be a major problem.
This could also be used only on a single layer of your security. For example passwordless VPN authentication but then a password/2F is required for actual user login.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] emlun|8 years ago|reply
[+] [-] krupan|8 years ago|reply
"We recently identified a bug that stored passwords unmasked in an internal log."
Because all they will have is a public key, not your secret password.
[+] [-] ascorbic|8 years ago|reply
[+] [-] aepiepaey|8 years ago|reply
Maybe the introduction of FIDO2 will spark some interest in that again? https://bugzilla.mindrot.org/show_bug.cgi?id=2319
Yes, sure, you could use pam-u2f, but that will never be as seamless as having it supported upstream in ssh.
Or you could use the OTP mode instead, but that has other disadvantages (you have to depend on yubico's servers or run your own KSM+validation servers).
[+] [-] dogma1138|8 years ago|reply
[+] [-] krupan|8 years ago|reply
[+] [-] ocdtrekkie|8 years ago|reply
Specifically, I have one use case computer where I have no screen, and getting through Windows login without it can be troublesome. I'd love to use this key to unlock it instead, but it's an offline machine.
I had this plan with Yubikey for Windows Hello, which has been out a while, and I bought a Yubikey, and discovered it could only unlock my Windows machine if it was locked (not logged out), which defeated the purpose entirely.
[+] [-] BartBoch|8 years ago|reply
And second thing - is exposing connector safe against mechanical damage? Will it withstand constantly being scratched by keys?
[+] [-] Tomte|8 years ago|reply
But hopefully U2F will actually work in non-Chrome browsers in the near future.
[+] [-] grondilu|8 years ago|reply
[+] [-] pg_bot|8 years ago|reply
If anyone is considering adopting Yubikeys in their organization using a language that is not supported by one of their client libraries my email is in my profile and I would glad to help out to the best of my ability.
[+] [-] blablabla123|8 years ago|reply
When using it even for login, people connect it to their laptops - that's what most people work with after all - and they must make sure they don't forget it there. As well they need to worry nobody steals it, whether it's on your laptop or you become a theft victim on the street. In the latter case the thieves might know what a Yubikey is and ask you for the pin.
Not sure what problem this solves. But I have the impression we're converting a virtual problem into a physical problem. To be honest I prefer to save keys on laptop drives, that's more difficult to steal, especially when using an encrypted disk.
[+] [-] nikolay|8 years ago|reply
P.S. Obviously, no. Neither Nitrokey [0] supports it, nor it's a sturdy one!
[0]: https://www.nitrokey.com/
[+] [-] jimmcslim|8 years ago|reply
[+] [-] crankylinuxuser|8 years ago|reply
I work primarily in a Windows shop, and I got the other co-workers in Linux because PAM supports seamless multi-factor auth. I would have went Windows, but its too obfuscated or hard to do that.
LinOTP works very well. And LinOTP works with a wide variety of tokens. Don't be locked to a single vendor.
[+] [-] fabian2k|8 years ago|reply
And I hope that this might trigger more widespread support for U2F and similar mechanisms in browsers and websites.
[+] [-] pishpash|8 years ago|reply
[+] [-] belst|8 years ago|reply
[+] [-] joering2|8 years ago|reply
Microsoft could have team up with Logitech like Sony with Erricson, and come up with a standard and put (mildly cheap) finger print reader on each sold keyboard and popularize open source standard for software implementation.