First, for your whole message: s/\s+UBIKEY'/YUBIKEY/g s/\s+UBI/YUBI/g thanks. On Mon, Mar 23, 2020 at 9:24 PM Owen DeLong <owen@delong.com> wrote:
On Mar 23, 2020, at 17:24 , Warren Kumari <warren@kumari.net> wrote:
On Mon, Mar 23, 2020 at 8:03 PM Owen DeLong <owen@delong.com> wrote:
On Mar 23, 2020, at 16:50 , Warren Kumari <warren@kumari.net> wrote:
On Mon, Mar 23, 2020 at 6:53 PM Sabri Berisha <sabri@cluecentral.net> wrote:
Not if you run it in TOTP mode. Yubikeys support many options - if you choose to use a weak solution, well that's your choice... I guess you could ask them nicely to make a version without the features you don't want to use - or you could just not *use* the features you don't want to use….
I confess I haven’t investigated the implementation details, but is it possible for one to issue ubikeys to an employee in a secure way with those features disabled?
You can set the key and the authentication system to only do TOTP (time based) and not HOTP. you can also program the keys (I think all of their keys since their first key) with custom firmware.
It’s the allowing the employee to make a poor choice not necessarily desired by the employer thing that seems to me is the issue in this case.
Sure limit the manner in which they can do foolish things, require totp not hotp. -chris