WingNews logo WingNews
top | item 19788229

(no title)

32032141 | 6 years ago

I personally don't see the point in them at all, in implementation and reality you get basically zero use out of the things.

Services that support them either have them locked down so hard that if you lose a single Yubikey (there's often no backup second key option), you're very screwed. Others go the other option, and have too easy to reset systems, SMS fallbacks, or other total bypasses of the security tokens.

For SSH and GPG, authentication keys are generally the least of your concern. The content you're controlling are much more valuable than the authentication itself. Can an attacker just wait until you SSH somewhere, and leverage that access? Can they wait until you'd press the button for another benign purpose and use that authentication in a malicious way? The answer is almost always yes, which reduces the value of these sort of devices substantially. They don't protect against local compromise, in which case a keyfile sitting on your local host is just as secure and a lot more convenient.

discuss

order

peterwwillis|6 years ago

Well their main use is to mitigate remote compromise. But I suppose if for some reason someone compromises a private key remotely (???), they don't have your physical 2nd key to complete auth. Or if you want encryption at rest with something stronger than a passphrase. For weird cases like "disk backup was compromised" it also helps, because most people don't encrypt backups at the client. But in general, actual protection seems vanishingly small past remote attacks.

So I think in general private keys aren't improved with a token, since a compromised private key is supposed to be a local compromise.

32032141|6 years ago

I don't really see a situation in which someone has local file read access on your machine, but doesn't otherwise have you completely owned.

nijave|6 years ago

I think they can be pretty beneficial in corporate environments where you can exert some control over the IDP and turning it on/off isn't super difficult (like visiting a physical help desk)

In addition, these places tend to have less technical users and "plug it in and press during login" isn't terribly difficult

32032141|6 years ago

I genuinely don't understand downvoting a series of very realistic comments about what using a Yubikey is actually achieving in these situations.

WordyMcWordface|6 years ago

I agree, I bought a yubi key ages ago and have tried to set it up for ssh, windows auth and various online services but I find it either just doesnt work, or works poorly enough that I don't use it and instead rely on classic TOTP instead.