[mabbo]

True security is using both "something you know" and "something you have". Something you have can be stolen, and something you know can be tricked out of you. But stealing both is difficult and far more obvious.

To login to my work VPN, the password is "<my pin><output from the yubikey>". Our SSO system requires both once per day as well.

It's a great system and I highly recommend it.

[taeric]

This is a bit muddied when talking about securing access to something you also have.

That is, you aren't securing your vpn with two factors. You are securing access to your vpn. It is different.

Similarly, for your computer, it is already something you have. Such that the password to login to the machine can already be seen as a second factor. My home password, as an example, is worthless to you without me home computer.

I'm not sure on the argument regarding moving to a physical key to get in the machine. By and large, it seems to be a more transferable method of accessing something. Not more secure, per se. But not less, either. (Right?)

[SahAssar]

The reason a computer usually isn't considered "something you have" is that malware can clone them or they can be configured for remote access. Half the point of a yubikey or other hardware token is that they are supposed to be unclonable (and hence tied to a single physical device). Some of that can be replicated with a TPM I'm guessing but that isn't the norm yet.

[taeric]

Sorta. The "cookie" in your browser is often enough to pin your computer as "something you have" for access to services. Gmail, in particular. (Similar for the security enclave on your phone.)

As I understand it, a yubikey is '"something you have" that we can reasonably verify as unique based on a shared secret with a third party.' That is, the algorithm that the yubikey is using to verify that it is something you have, is predicated on other knowledge, correct?

(I know I have one question mark up there. But I intend all of these assertions as a question. I'm not positive on this stuff.)

[SahAssar]

The cookie can be easily cloned since it has to be readable to the browser so it can be sent to the service. Also the cookie is issued to the browser after presenting other credentials to login like password, 2fa and magic links so it does not fill the same role at all. Cookies make a very bad "something you have" factor since they are constantly sent over the network, so at any point there are many different load balancers, application servers and so on that could reasonably claim to be the "thing you have". Cookies are also (usually) issued by the service, not by the client so by definition they have been on some other device that is not the device you want to prove you have before landing on the device you want to prove ownership of.

What makes hardware tokens (like the yubikey) fill this role better is that the algorithm (which is really pretty standard crypto) runs on the device and the device is specifically designed to not reveal its keys, so it's easier to assume that anyone that can present proof of the keys also has the physical object.

Secure enclave (and that is why I mentioned TPMs in the previous post although it seems like it would require a TEE) could fill the same role as a yubikey, but is often not used that way except for the device vendors login (like apple id). Even if your password is encrypted in a way that only the secure enclave can unlock if you can get it out of there then it is not as secure as something that you can only prove possession of (and not extract).

[glsdfgkjsklfj]

> and the device is specifically designed to not reveal its keys,

Just want to take this moment to remind everyone that the yubikey have a protocol to configure it. Nobody knows the code that runs that prototocol. Nobody knows the full capabilities of said prototocol. the best hint we have is the semi-opensource configurator python/cli utilities which are just a bitmashing client of the published capabilities.

thank you.

[SahAssar]

I was just about to say that they still sell the neo which runs opensource firmware. Seems like they don't though and have discontinued that line.

Still the idea of hardware tokes, u2f, WebAuthN is not at all tied to yubikeys and there are implementations of it that are software-opensource like solokeys.

I think the security of a yubikey is likely better than most alternatives even if it is not open to scrutiny anymore.

I'm also guessing this is the point where it would be good to mention that WebUSB was a vulnerability for u2f hardware tokens (if you gave sites permission to interact with USB devices): https://www.wired.com/story/chrome-yubikey-phishing-webusb/

[mikeiz404]

Interesting point. I never really thought of the laptop as something you have but it certainly is.

I will say that a security key is far easier to carry on you in more situations than say a laptop is and certainly a desktop. And the key, depending on how it is used to secure the device, may help mitigate brute force password attacks in the event that the device is stolen.

An argument could be made for defense in depth but for most people I would guess the amount of added security is probably not super beneficial and for those where it truly does matter then securing physical access to the device is probably more important any way.

[taeric]

Agreed, I wasn't trying to say that your computer counts as enough of "what you have" to third parties. Is why I don't think it counts for most accounts you have access to.

That said, your phone is growing to take that privilege.

[jka]

> Something you have can be stolen, and something you know can be tricked out of you.

Yep, it's generally been a useful combination. The "something you know" part could risk becoming a lower barrier the more that data breaches occur, and the more that people share and can infer about each other on public social media.

At the moment we tend to be very focused on securing individual identities and then assuring that what we say, do and write corresponds to those identities.

Perhaps a longer-term strategy is to care a bit less about the identity and be able to accept (and reject) content regardless of source.

[v7p1Qbt1im]

Ideally something you „are“ as well. Though in practice this might be overkill for most.

I believe there‘s a new biometric yubikey in the works. A fingerprint version of the 5C NFC would be cool.

[ta89489544]

I get the sense that biometrics are not very future proof. People leave fingerprints and DNA on everything they touch and faces and eyes are seen by cameras all the time. Biometrics work now, but in the near future I suspect the technology to take images of peoples faces/fingerprints and reproduce their likeness to fool a biometric sensor will be a commodity. Once that happens biometrics will be near useless because you essentially have no way to respond to leaked biometric data, it can't be changed.

[v7p1Qbt1im]

Possible yeah. Though I don‘t see this happening for a while yet. It‘s certainly marginally more secure than not having biometrics (3 instead of 2 elements).

[ymbeld]

Aah, but will the cameras get enough shots of my tongue? Linguametrics, you heard it here first, folks.

[v7p1Qbt1im]

Also genital scan.

[athorax]

We use the AnyConnect VPN client which allows for a password & 2nd password field for yubikey, same concept. Agree that it works nicely

[JamesSwift]

How does that password scheme even work unless the plaintext pin is being stored somewhere?

[LordDragonfang]

The system knows how long a yubikey string is and can easily discard that part before hashing.

[parliament32]

Sounds like our setup, OpenVPN + LinOTP? Pin + HOTP in a password field is a nice way to force 2FA into applications that don't support it natively.

[aborsy]

Do you use Pass to get out the VPN password?

I like that set up, even though that’s a password manager and not like an ssh key held on Yubikey.

[biosed]

Amazon?

[imwillofficial]

Shhh!