Re: South Africa On Lockdown - Coronavirus - Update!

[Owen DeLong <owen () delong com>]

> On Mar 23, 2020, at 16:50 , Warren Kumari <warren () kumari net> wrote:
>
> On Mon, Mar 23, 2020 at 6:53 PM Sabri Berisha <sabri () cluecentral net> wrote:
> > Hi,
> >
> > In my experience, yubikeys are not very secure. I know of someone in my team who would generate a few hundred tokens 
> > during a meeting and save the output in a text file. Then they'd have a small python script which was triggered by a 
> > hotkey on my macbook to push "keyboard" input. They did this because the org they were working for would make you 
> > use yubikey auth for pretty much everything, including updating a simple internal Jira ticket.
>
> By that argument, SecureID (and other LCD tokens) are also really
> insecure. When I worked at AOL we had to use them for almost
> everything - a bunch of people got together and put their secureIDs in
> a grid under a webcam. That way they didn't need  to carry them with
> them - when they needed a token they would open the webcam page, and
> know that theirs was third down, and fourth across….

Not actually, no…

SecurID and the others of its ilk have a safety feature in that the number doesn’t change that often.

It turns out to be awkward and time-consuming to do what is being done with the UBIKEY.

I agree that this abuse of the UBI Key is more an issue of implementation than the inherent nature of the
UBIKEY, but the UBIKEY does allow this kind of abuse in ways that other tokens don’t facilitate.

Owen