|
|
|
|
|
|
by glsdfgkjsklfj
1950 days ago
|
|
|
> and the device is specifically designed to not reveal its keys, Just want to take this moment to remind everyone that the yubikey have a protocol to configure it. Nobody knows the code that runs that prototocol. Nobody knows the full capabilities of said prototocol. the best hint we have is the semi-opensource configurator python/cli utilities which are just a bitmashing client of the published capabilities. thank you. |
|
|
Still the idea of hardware tokes, u2f, WebAuthN is not at all tied to yubikeys and there are implementations of it that are software-opensource like solokeys.
I think the security of a yubikey is likely better than most alternatives even if it is not open to scrutiny anymore.
I'm also guessing this is the point where it would be good to mention that WebUSB was a vulnerability for u2f hardware tokens (if you gave sites permission to interact with USB devices): https://www.wired.com/story/chrome-yubikey-phishing-webusb/