[SahAssar]

The reason a computer usually isn't considered "something you have" is that malware can clone them or they can be configured for remote access. Half the point of a yubikey or other hardware token is that they are supposed to be unclonable (and hence tied to a single physical device). Some of that can be replicated with a TPM I'm guessing but that isn't the norm yet.

[taeric]

Sorta. The "cookie" in your browser is often enough to pin your computer as "something you have" for access to services. Gmail, in particular. (Similar for the security enclave on your phone.)

As I understand it, a yubikey is '"something you have" that we can reasonably verify as unique based on a shared secret with a third party.' That is, the algorithm that the yubikey is using to verify that it is something you have, is predicated on other knowledge, correct?

(I know I have one question mark up there. But I intend all of these assertions as a question. I'm not positive on this stuff.)

[SahAssar]

The cookie can be easily cloned since it has to be readable to the browser so it can be sent to the service. Also the cookie is issued to the browser after presenting other credentials to login like password, 2fa and magic links so it does not fill the same role at all. Cookies make a very bad "something you have" factor since they are constantly sent over the network, so at any point there are many different load balancers, application servers and so on that could reasonably claim to be the "thing you have". Cookies are also (usually) issued by the service, not by the client so by definition they have been on some other device that is not the device you want to prove you have before landing on the device you want to prove ownership of.

What makes hardware tokens (like the yubikey) fill this role better is that the algorithm (which is really pretty standard crypto) runs on the device and the device is specifically designed to not reveal its keys, so it's easier to assume that anyone that can present proof of the keys also has the physical object.

Secure enclave (and that is why I mentioned TPMs in the previous post although it seems like it would require a TEE) could fill the same role as a yubikey, but is often not used that way except for the device vendors login (like apple id). Even if your password is encrypted in a way that only the secure enclave can unlock if you can get it out of there then it is not as secure as something that you can only prove possession of (and not extract).

[glsdfgkjsklfj]

> and the device is specifically designed to not reveal its keys,

Just want to take this moment to remind everyone that the yubikey have a protocol to configure it. Nobody knows the code that runs that prototocol. Nobody knows the full capabilities of said prototocol. the best hint we have is the semi-opensource configurator python/cli utilities which are just a bitmashing client of the published capabilities.

thank you.

[SahAssar]

I was just about to say that they still sell the neo which runs opensource firmware. Seems like they don't though and have discontinued that line.

Still the idea of hardware tokes, u2f, WebAuthN is not at all tied to yubikeys and there are implementations of it that are software-opensource like solokeys.

I think the security of a yubikey is likely better than most alternatives even if it is not open to scrutiny anymore.

I'm also guessing this is the point where it would be good to mention that WebUSB was a vulnerability for u2f hardware tokens (if you gave sites permission to interact with USB devices): https://www.wired.com/story/chrome-yubikey-phishing-webusb/