Hacker News new | ask | show | jobs
by talkingtab 181 days ago
In my opinion only, Yubico has done no favors to the Fido by their marketing. A result of trying to make Yubikey synonymous with Fido, it has become unclear what Fido does.

And as a result of how they market their keys, decisions Fido keys are presented with a cost of $20 - $60. Why $60, for a simple Fido key? Because for $60 you get not only Fido, but Flippo, Froggo, x.6s8o and more-o.

The result is that most people know the name Yubikey, but don't really know Fido, or what it is. On Amazon if you search for Fido you get mostly Yubikeys. There were other brands, but Yubico appears to have snuffed them. At one point there was an open source version that worked just as well as a name brand.

As for value? If you are a big corporate type this is the cat's meow. But otherwise? What other hardware is $60? A Raspberry Pi 4? I can get little cheap USB thingies from China at 6 for a dollar.

I am not pointing at Yubico as they have done well making profits from corporations. Rather the Fido Alliance. Looking at the Fido Alliance provides a first pass at answering the question "Who Benefits?"

https://fidoalliance.org/overview/leadership/

Perhaps it is fair to ask "What benefit" as well.

Corpocracy. You gotta love it.
4 comments
master_crab 181 days ago
Most Government organizations mandate FIPS Yubikey’s that are outrageously priced.

Yes, the $60 is clear regulatory capture. It also sets back security by raising the barrier to using these devices.

link
machinationu 181 days ago
while you are right, security is generally not cheap.

you can get that $5 china fido key, but are you sure it's you who owns it?

I was recently looking for a security key, and eventually I did pay the yubico tax, because saving $20 by getting another one seemed unwise given the stakes.

link
gruez 181 days ago
>you can get that $5 china fido key, but are you sure it's you who owns it?

Seems like a moot point because it'd be very difficult for a rogue fido key to exfiltrate data. I'd be far more concerned about random chinese IOT gadgets, which most people don't have a problem with.

link
wkat4242 180 days ago
Hmm yes but it's possible to compromise private key generation to only create a very small predictable subset of keys. In fact some smartcards from Infineon suffered from this as a bug. And thus they can be brute forces. It requires some serious crypto chops to determine if this is the case. Obviously it's not like the first 60 bits being zero or something. And the private key is made to not be extracted in this kind of device making it even harder.
link
petee 181 days ago
One issue i see is that it's a sealed package; it wouldn't be immediately apparent if someone added extra hardware/functionality.

More likely though I'd expect you'd just get some form of a clone device

link
the8472 181 days ago
Couldn't they ship pre-compromised? Storing the RNG seed and private key at the factory.
link
ComputerGuru 181 days ago
Devil’s advocate: How do they map that data to a user when you are buying through a maze of resellers?
link
machinationu 181 days ago
they dont, they try against all the keys, there are at most a few billion of them

see Dual_EC_DRBG

link
wkat4242 180 days ago
It won't be as easy as that because you can generate a private key multiple times and notice it's the same.

However yes a very limited entropy in the private key is much harder to detect especially because on this kind of device you can't see the private key directly.

link
PunchyHamster 181 days ago
You're paying for brand and the fact they make key exfiltration very hard.

Getting the key out of rpi4 will be trivally easy if someone stoles it, not so much for hardware key.

I am surprised that competition didn't kept them in check, we're using them for more than a decade and the price just keeps slowly creeping in.

link
layer8 181 days ago
Run-off-the-mill smart cards have had non-extractable keys for decades. They only cost cents in manufacturing.
link
bigfatkitten 180 days ago
In raw materials, yes, but a lot of people were involved in developing and then conducting security evaluations on the MCU on the card, as well as all the software that runs on top, and those people do not work for free.
link
gruez 181 days ago
>I am not pointing at Yubico as they have done well making profits from corporations. Rather the Fido Alliance. Looking at the Fido Alliance provides a first pass at answering the question "Who Benefits?"

>https://fidoalliance.org/overview/leadership/

>Perhaps it is fair to ask "What benefit" as well.

>Corpocracy. You gotta love it.

You're really beating around the bush, trying to imply there's something shady going on, but don't articulate what it actually is. So let me ask: what's the conspiracy here? That the fido alliance is a front for an evil cabal of tech companies trying to... improve security? sell overpriced security keys?

link
talkingtab 181 days ago
This is not a conspiracy. This is just corporations acting in their best interest. Exactly the same as MicroSoft acted in their best interest as described here: https://en.wikipedia.org/wiki/United_States_v._Microsoft_Cor....

If that is confusing here is link to the Friedman Doctrine that explains it. https://en.wikipedia.org/wiki/Friedman_doctrine

When we see a technology that appears beneficial and is not adopted, I think it is fair to wonder why that is.

For me the key points I ponder are:

- over several years I saw articles on HN that supposedly promoted Fido, but almost always they talked about Yubikeys. This continues.

- Solokeys built an open source Fido key. They were priced very low compared to Yubikeys, but functioned just as well. You could buy them on Amazon at one point (and I did)

- the Fido Alliance Accreditation fees https://fidoalliance.org/certification/authenticator-certifi...

So no. I do not see a conspiracy, I just see an array of corporations acting according to the Friedman Doctrine.

Perhaps a good question is what benefits might those corporations gain from their actions. Would Google and Apple benefit from broad adoption of Fido keys or would it somehow lessen their profits? I don't know the answer, but I know the question.

link
gruez 181 days ago
>If that is confusing here is link to the Friedman Doctrine that explains it. https://en.wikipedia.org/wiki/Friedman_doctrine

>When we see a technology that appears beneficial and is not adopted, I think it is fair to wonder why that is.

>...

>Perhaps a good question is what benefits might those corporations gain from their actions. Would Google and Apple benefit from broad adoption of Fido keys or would it somehow lessen their profits? I don't know the answer, but I know the question.

Again, I don't see any cogent arguments here aside from a vague anti-corporations sentiment along the lines of "corporations are greedy so they must be trying to oppress us at every opportunity". You mention "I think it is fair to wonder why that is", but you haven't articulate how hobbling u2f/fido/webauthn benefits the tech giants, when security is a huge pain point for them (both for their employees and their customers), and therefore they presumably benefit from it being adopted.

>- over several years I saw articles on HN that supposedly promoted Fido, but almost always they talked about Yubikeys. This continues.

Is there any evidence this was perpetuated by the fido alliance and/or their sponsors? Should we think there's a conspiracy by github because people confuse git with github?

>- Solokeys built an open source Fido key. They were priced very low compared to Yubikeys, but functioned just as well. You could buy them on Amazon at one point (and I did)

>- the Fido Alliance Accreditation fees https://fidoalliance.org/certification/authenticator-certifi...

What is this supposed to be evidence of? If anything this disproves your point that there can be competitors to yubikey.

link
estimator7292 181 days ago
It's an observation, not an argument.
link