[taeric]

This is a bit muddied when talking about securing access to something you also have.

That is, you aren't securing your vpn with two factors. You are securing access to your vpn. It is different.

Similarly, for your computer, it is already something you have. Such that the password to login to the machine can already be seen as a second factor. My home password, as an example, is worthless to you without me home computer.

I'm not sure on the argument regarding moving to a physical key to get in the machine. By and large, it seems to be a more transferable method of accessing something. Not more secure, per se. But not less, either. (Right?)

[SahAssar]

The reason a computer usually isn't considered "something you have" is that malware can clone them or they can be configured for remote access. Half the point of a yubikey or other hardware token is that they are supposed to be unclonable (and hence tied to a single physical device). Some of that can be replicated with a TPM I'm guessing but that isn't the norm yet.

[taeric]

Sorta. The "cookie" in your browser is often enough to pin your computer as "something you have" for access to services. Gmail, in particular. (Similar for the security enclave on your phone.)

As I understand it, a yubikey is '"something you have" that we can reasonably verify as unique based on a shared secret with a third party.' That is, the algorithm that the yubikey is using to verify that it is something you have, is predicated on other knowledge, correct?

(I know I have one question mark up there. But I intend all of these assertions as a question. I'm not positive on this stuff.)

[SahAssar]

The cookie can be easily cloned since it has to be readable to the browser so it can be sent to the service. Also the cookie is issued to the browser after presenting other credentials to login like password, 2fa and magic links so it does not fill the same role at all. Cookies make a very bad "something you have" factor since they are constantly sent over the network, so at any point there are many different load balancers, application servers and so on that could reasonably claim to be the "thing you have". Cookies are also (usually) issued by the service, not by the client so by definition they have been on some other device that is not the device you want to prove you have before landing on the device you want to prove ownership of.

What makes hardware tokens (like the yubikey) fill this role better is that the algorithm (which is really pretty standard crypto) runs on the device and the device is specifically designed to not reveal its keys, so it's easier to assume that anyone that can present proof of the keys also has the physical object.

Secure enclave (and that is why I mentioned TPMs in the previous post although it seems like it would require a TEE) could fill the same role as a yubikey, but is often not used that way except for the device vendors login (like apple id). Even if your password is encrypted in a way that only the secure enclave can unlock if you can get it out of there then it is not as secure as something that you can only prove possession of (and not extract).

[glsdfgkjsklfj]

> and the device is specifically designed to not reveal its keys,

Just want to take this moment to remind everyone that the yubikey have a protocol to configure it. Nobody knows the code that runs that prototocol. Nobody knows the full capabilities of said prototocol. the best hint we have is the semi-opensource configurator python/cli utilities which are just a bitmashing client of the published capabilities.

thank you.

[SahAssar]

I was just about to say that they still sell the neo which runs opensource firmware. Seems like they don't though and have discontinued that line.

Still the idea of hardware tokes, u2f, WebAuthN is not at all tied to yubikeys and there are implementations of it that are software-opensource like solokeys.

I think the security of a yubikey is likely better than most alternatives even if it is not open to scrutiny anymore.

I'm also guessing this is the point where it would be good to mention that WebUSB was a vulnerability for u2f hardware tokens (if you gave sites permission to interact with USB devices): https://www.wired.com/story/chrome-yubikey-phishing-webusb/

[mikeiz404]

Interesting point. I never really thought of the laptop as something you have but it certainly is.

I will say that a security key is far easier to carry on you in more situations than say a laptop is and certainly a desktop. And the key, depending on how it is used to secure the device, may help mitigate brute force password attacks in the event that the device is stolen.

An argument could be made for defense in depth but for most people I would guess the amount of added security is probably not super beneficial and for those where it truly does matter then securing physical access to the device is probably more important any way.

[taeric]

Agreed, I wasn't trying to say that your computer counts as enough of "what you have" to third parties. Is why I don't think it counts for most accounts you have access to.

That said, your phone is growing to take that privilege.