nanog mailing list archives

Re: crypto frobs

From: William Herrin <bill () herrin us>
Date: Mon, 23 Mar 2020 16:56:18 -0700

On 3/23/20 3:53 PM, Sabri Berisha wrote:
In my experience, yubikeys are not very secure. I know of someone in my team who would generate a few hundred tokens 
during a meeting and save the output in a text file. Then they'd have a small python script which was triggered by a 
hotkey on my macbook to push "keyboard" input. They did this because the org they were working for would make you use 
yubikey auth for pretty much everything, including updating a simple internal Jira ticket.


Meh. Here's a better example of bad:

SSH Key Auth + Yubi key.

This isn't two-factor authentication folks, it's just 1-factor: what
you have. You have an ssh private key. You have a yubi key. Same
factor. Either one proves you have possession of something only the
user should have. Proving two does not appreciably change the
probability that you are you.

For two factor auth, you actually have to use an additional factor.
Something from the what you know factor (e.g. a password) or the what
you are factor (e.g. a fingerprint).

Just like a password and a pin isn't two factor. It's exactly the same
as having a single longer password and subject to the same general
types of compromise.

Regards,
Bill Herrin

-- 
William Herrin
bill () herrin us
https://bill.herrin.us/

Current thread:

Re: South Africa On Lockdown - Coronavirus - Update!, (continued)
- - Re: South Africa On Lockdown - Coronavirus - Update! Peter Beckman (Mar 23)
    - Re: South Africa On Lockdown - Coronavirus - Update! Mark Tinka (Mar 23)
    - Re: South Africa On Lockdown - Coronavirus - Update! Alexandre Petrescu (Mar 23)
    - Re: South Africa On Lockdown - Coronavirus - Update! Peter Beckman (Mar 23)
    - Re: South Africa On Lockdown - Coronavirus - Update! Eric Tykwinski (Mar 23)
    - Re: South Africa On Lockdown - Coronavirus - Update! Sabri Berisha (Mar 23)
    - crypto frobs Michael Thomas (Mar 23)
    - Re: crypto frobs Christopher Morrow (Mar 23)
    - Re: crypto frobs George Michaelson (Mar 23)
    - Re: crypto frobs Christopher Morrow (Mar 23)
    - Re: crypto frobs William Herrin (Mar 23)
    - Re: crypto frobs Warren Kumari (Mar 23)
    - Re: crypto frobs William Herrin (Mar 23)
    - Re: crypto frobs Michael Loftis (Mar 23)
    - Re: crypto frobs Michael Loftis (Mar 23)
    - Re: crypto frobs John Covici (Mar 24)
    - Re: crypto frobs John Kinsella (Mar 24)
    - Re: crypto frobs Tom Beecher (Mar 24)
    - Re: crypto frobs Rob Seastrom (Mar 24)
    - Re: South Africa On Lockdown - Coronavirus - Update! Michael Loftis (Mar 23)
    - Re: South Africa On Lockdown - Coronavirus - Update! Warren Kumari (Mar 23)

(Thread continues...)