On Mon, Mar 23, 2020 at 4:53 PM Sabri Berisha <sabri@cluecentral.net> wrote:
Hi,
In my experience, yubikeys are not very secure. I know of someone in my team who would generate a few hundred tokens during a meeting and save the output in a text file. Then they'd have a small python script which was triggered by a hotkey on my macbook to push "keyboard" input. They did this because the org they were working for would make you use yubikey auth for pretty much everything, including updating a simple internal Jira ticket.
Thanks,
This is an artifact of a poor implementation, not of a yubikey or any other security. Yubikeys support MANY methods of authentication. I have a number of them, a couple of them are setup for TOTP (using yubico authenticator), FIDO (native), and use the GPG functionality for ssh public key auth via agent. Pre-generating or replaying will not work with any of those methods. So saying "Yubikeys are not very secure" is very incorrect. The specific deployment decisions weren't great in your specific case. Any OTP system based on incrementing counters could be abused in this manner if the OTP keys can be generated rapidly and saved. TOTP is the common method for solving this with 2FA. Yubikeys also support a number of challenge/response type authentications (which is effectively what my GPG setup does, and what FIDO sort of does)