Re: crypto frobs

[William Herrin <bill () herrin us>]

On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari <warren () kumari net> wrote:
> Well, yes and no. With a Yubiikey the attacker  has to be local to
> physically touch the button[0] - with just an SSH key, anyone who gets
> access to the machine can take my key and use it. This puts it in the
> "something you have" (not something you are) camp.

Hi Warren,

They're both "something you have" factors. The yubi key proves
possession better than the ssh key just like a long password proves
what-you-know better than a 4-digit PIN. But the ssh key and the yubi
key are still part of the same authentication factor.


> Not really -- if an attacker steals my laptop, they don't have the
> yubikey (unless I store it in the USB port).

You make a habit of removing your yubi key from the laptop when nature
calls? No you don't.


> If they *do* steal both,
> they can bruteforce the SSH passphrase, but after 5 tries of guessing
> the Yubikey PIN it self-destructs.

What yubikey are you talking about? I have a password protecting my
ssh key but the yubikeys I've used (including the FIPS version) spit
out a string of characters when you touch them. No pin.

Regards,
Bill Herrin


-- 
William Herrin
bill () herrin us
https://bill.herrin.us/