nanog mailing list archives
Re: South Africa On Lockdown - Coronavirus - Update!
From: Michael Loftis <mloftis () wgops com>
Date: Mon, 23 Mar 2020 17:37:21 -0600
On Mon, Mar 23, 2020 at 4:53 PM Sabri Berisha <sabri () cluecentral net> wrote:
Hi, In my experience, yubikeys are not very secure. I know of someone in my team who would generate a few hundred tokens during a meeting and save the output in a text file. Then they'd have a small python script which was triggered by a hotkey on my macbook to push "keyboard" input. They did this because the org they were working for would make you use yubikey auth for pretty much everything, including updating a simple internal Jira ticket. Thanks,
This is an artifact of a poor implementation, not of a yubikey or any other security. Yubikeys support MANY methods of authentication. I have a number of them, a couple of them are setup for TOTP (using yubico authenticator), FIDO (native), and use the GPG functionality for ssh public key auth via agent. Pre-generating or replaying will not work with any of those methods. So saying "Yubikeys are not very secure" is very incorrect. The specific deployment decisions weren't great in your specific case. Any OTP system based on incrementing counters could be abused in this manner if the OTP keys can be generated rapidly and saved. TOTP is the common method for solving this with 2FA. Yubikeys also support a number of challenge/response type authentications (which is effectively what my GPG setup does, and what FIDO sort of does)
Current thread:
- Re: crypto frobs, (continued)
- Re: crypto frobs Christopher Morrow (Mar 23)
- Re: crypto frobs William Herrin (Mar 23)
- Re: crypto frobs Warren Kumari (Mar 23)
- Re: crypto frobs William Herrin (Mar 23)
- Re: crypto frobs Michael Loftis (Mar 23)
- Re: crypto frobs Michael Loftis (Mar 23)
- Re: crypto frobs John Covici (Mar 24)
- Re: crypto frobs John Kinsella (Mar 24)
- Re: crypto frobs Tom Beecher (Mar 24)
- Re: crypto frobs Rob Seastrom (Mar 24)
- Re: South Africa On Lockdown - Coronavirus - Update! Michael Loftis (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Warren Kumari (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Owen DeLong (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Warren Kumari (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Owen DeLong (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Christopher Morrow (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Michael Loftis (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Joshua D'Alton (Mar 24)
- Re: South Africa On Lockdown - Coronavirus - Update! Mark Tinka (Mar 24)
- RE: South Africa On Lockdown - Coronavirus - Update! Keith Medcalf (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Mark Tinka (Mar 23)