On 3/23/20 3:53 PM, Sabri Berisha wrote: In my experience, yubikeys are not very secure. I know of someone in my team who would generate a few hundred tokens during a meeting and save the output in a text file. Then they'd have a small python script which was triggered by a hotkey on my macbook to push "keyboard" input. They did this because the org they were working for would make you use yubikey auth for pretty much everything, including updating a simple internal Jira ticket.
Meh. Here's a better example of bad: SSH Key Auth + Yubi key. This isn't two-factor authentication folks, it's just 1-factor: what you have. You have an ssh private key. You have a yubi key. Same factor. Either one proves you have possession of something only the user should have. Proving two does not appreciably change the probability that you are you. For two factor auth, you actually have to use an additional factor. Something from the what you know factor (e.g. a password) or the what you are factor (e.g. a fingerprint). Just like a password and a pin isn't two factor. It's exactly the same as having a single longer password and subject to the same general types of compromise. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/