@adingbatponder

Good question!

A core property of FIDO2 is authenticating the origin (are you connected to the right site, or a copycat). The daily benefit of this protection is intended to be worth the trade-off of requiring diligence in retaining possession of the key.

Also, the idea is that loss of the key would be noticed quickly enough that the key could be revoked.

Finally, putting a PIN on a "leave-in" / installed key (which is a PIN for the key, not for individual sites), is a reasonable way to mitigate the risk of the window of time between the loss/theft of key and when it can be revoked.

#YubiKey

Does it make sense to use a #YubiKey nano ? I mean if it is left in the usb port then the 2FA is completely bypassed if a laptop is stolen, right? I do not seem to understand the use case other than preventing remote attacks because the logins need human confirmation at the machine. But a separate key seems far safer.

Made a new version of my crypto pendent idea recently. Haven't found any tiny NFC chip to embedded in it so I slimmed it down instead. I also tried some new ways to decorate it instead of making it part of the print. So I first tried to be "artistic" with a permanent marker and then I tried to wrap some wire and melt it into the back of it. Definitely more happy with this version than the first one.

The yubikey lives on the backside of the pendent.

#yubikey #3DPrinting

How to set up 2FA or passkey for Cockpit Remote Login #ssh #remoteaccess #yubikey #cockpit

https://askubuntu.com/q/1556749/612

Do you #pgp-sign your #git commits with a #yubikey?

I find annoying to touch the sensor for each commit when rebasing my branches...

Can tech Mastodon tell me if #Yubikey would be advantageous in helping me manage my 85-year-old mother's super powers of changing her passwords -- and then not telling me?

She's less likely to lose a key, a physical thing, than she is to lose wherever she wrote down (or didn't write down) a password.

And yes, I keep track of her passwords as best I can because she does not understand how the Internet works, and she gets incredibly frustrated and forgets what she did with them or that she even changed them.. Knowing them and being able to manage her devices makes being her personal technology manager much easier.

Right now she's no longer an admin on her own computer because of issues I've had in the past with her destroying expensive laptops with malware.

Unfortunately (because $$), I'm thinking that I would have to have two keys for managing her accounts: one for her to keep, and one backup for me to keep in case she loses the first one (even though I said she was unlikely to have that happen because she usually puts those kinds of things in the same place every time, but she doesn't have a cat...)

The thing I'm most worried about as she ages into her 90s is that she will fall prey to another scam. She had that happen last year in some mysterious and obscure way and lost money and had to change all her cards because of it.

For a while after that, I cut her off from having an actual computer and made her suffer with just an iPad and her phone (which meant she would not access Facebook as much or as often, which I think was the source of the scam).

Old ladies are high security risk!

I guess the question really is, is something like a yubikey a useful and a justifiable expense for the ordinary garden-variety computer toucher who wants to up their security, or is it overkill?

🔐 Hướng dẫn đăng nhập Debian/GDM bằng YubiKey FIDO2! 🚀
Tăng cường bảo mật với xác thực hai yếu tố vật lý, không cần mật khẩu truyền thống.
#BảoMật #YubiKey #FIDO2 #Debian #GDM #Linux #MastodonVietnam #Security #TwoFactorAuthentication

https://www.4rknova.com//blog/2022/09/02/yubikey-login

Me and my new #yubikey5 part 2:

Now we get to the nitty-gritty parts. I'm using #mbsync to sync multiple #imap accounts to local #maildir and I am automating this via #systemd : a timer calls a service very 5 minutes, that will call mbsync on all mail accounts if connected to the internet.

Providing the passwords via #pass that is encrypted with #yubikey will need that yubikey to be unlocked (i.e. a pin needs to be provided). When providing this pin (e.g. by manually calling mbsync on one of my mail accounts), it will be stored for at least 12h, and up to 24h (on my home pc; mobile and remote devices will of course hav different settings).

However, if I never manually provide the PIN, the systemd automated scripts will fail. E.g. I just connected the key, but not used it.

First I thought, this was due to me using the `curses` version #pinentry . But that's not the whole truth. Even with `pinentry-gtk` the systemd script will not trigger a PIN entry. I didn't quite understand why, and therefore ran a different direction:

Could I just auto-unlock the yubikey if I connected it? I wrote a #udev rule that would recognize the yubikey. Learning that I need to put scripts for udev in certain dirs, and being unhappy with it, I then wrote a systemd service for the udev to call instead, and with that I maanged to finally get a PIN entry request using the gtk version.

And then it got me thinking. Why did that work, but my mailsync that basically has the same things involved (script instead of udev that triggers systemd that wants to decrypt something using yubikey triggering PIN entry). And then it hit me: My mailsync systemd service was missing the `DISPLAY=:0` environment variable, thus the script can't trigger the GUI. Half a days worth of work, all for nothing :picardfacepalm:

But hey, the weekend is young. Next up: If triggered via CLI i want gpg to trigger `pinentry-curses` instead of `pinentry-gtk`. Sounds easy: have a `pinentry-auto` script figuring out where it has been called from. Well... not really #wip

It's been a while since I've last used #crypto (and by that I don't mean coins but oldschool #cryptography : encrypting and signing mails, etc.), and lately I've only used #gpg to encrypt my #pass vault.

However, I wanted to up my game a little, so here it comes: For the first time I got myself a hardware token. I opted for #yubikey even though #nitrokey is probably the better option, because of #opensource. But I wanted my first steps to be smooth ones, and also try out all the different operational scenarios; and all research said that Yubikey is the better supported and the more versatile option (maybe I'll switch to a #nitrokey later on).

I went a bit overboard with the setup as well. I got myself some new USB drives, one flashed with #tails - a portable live #linux system by the @torproject developers, to boot with it a machine #offthegrid on which I'd create my keys. A #gnupg main key just for certification, and three subkeys for signing, encryption and authentication. The main key was moved to two backup USB drives, the subkeys on two Yubikeys (which as a bit of a hassle as usually you are only allowed to move them to one).

While the private main key will never see the light of day (i.e. just stay on the thumbdrives or be imported by the off-grid tails system), the subkeys will live on my tokens (which are not extractable as well).

They expire every year so I'd need to renew them (with the main key on tails), my identities are tied to the main key, and if any key is compromized I can easily create new ones with that main key.

To me that seems pretty sound, and a lot of overkill, tbh :D But it was also quite fun.

Next up: Switching my environment to use Yubikey and my new GPG keys instead of #ssh etc. And after that I'll give #2FA a try. And if I am not on the PC I'll guess I'll read some more about #EllipticCurveCryptography. First time I am using those algorithms. So long, #RSA, you've been a great companion, and hello #ed25519, nice to meet you.

#security #privacy

If you have a yellow or orange YubiKey that you're willing to part with, please reach out.

#YubiKey

Mình vừa thiết lập hệ thống zero-trust cho homelab: Cloudflare Access + Authentik + YubiKey để bảo mật ứng dụng web, trong khi Proxmox vẫn riêng tư qua Tailscale. Sạch sẽ, dễ quản lý và có audit logs đầy đủ! 🔒

#Homelab #ZeroTrust #BảoMậtMạng #SelfHosted #Cloudflare #Authentik #YubiKey #Tailscale

https://www.reddit.com/r/selfhosted/comments/1njxyn9/my_homelabs_zerotrust_edge_cloudflare_access/

Does anybody use a #yubikey with #gnupg?

After I plug in the stick, I have to type my pin and then touch the contact pads to decrypt or sign. This is fine.

What I find annoying, is that for subsequent uses, I no-longer have a prompt. I don't have to type the pin (this is fine), but there's no window telling me to touch the contact pads.

For instance, when I send an email, I sign by default; so I get confused when there's no prompt but my email is still sending.

Do you have the same issue?

Подставляем TOTP в Chrome c помощью Yubikey

Надоело каждый раз подставлять TOTP на сайтах и у вас есть yubikey? Тогда добро пожаловать под кат. Поделюсь самописным расширением, которое позволяет автоматизировать эту рутину.

https://habr.com/ru/articles/942592/

#totp #google_chrome #yubikey #extension #javascript

Finally a calm weekend ahead...

Some well deserved rest and maybe scratch an itch:

- Add support for sbsign to use a #yubikey via #pkcs11
- Do a few of the #gnuradio challenges
- Fiddle around with my #ftx1f #ham and make some antennas next to the lake.
- PoC moving my homelab to #yggdrasil
- Move my homelab away from #NixOS containers
- Setting up #tollgate with a self-service mint as an educational tool.

Nun habe ich 3 Tage lang meine neuen YubiKeys am Rechner getestet und muss sagen: Das ist schon eine tolle Bereicherung. Einiges habe ich mittlerweile so eingerichtet, dass der Login nur noch mit YubiKey möglich ist. Bedeutet also: Wer meinen YubiKey nicht hat, hat es schwer, Zugang zum jeweiligen Konto zu bekommen.

Im Falle eines Defekts habe ich mir natürlich einen zweiten YubiKey angelegt, der synchron zum anderen gehalten wird. Der Ersatz ist an einem sicheren Ort deponiert, den nur 2 Menschen kennen.

Auf meinem ArchLinux-Rechner brauche ich mittlerweile kein Passwort mehr eingeben, wenn ich "sudo" ausführe, eine kurze Berührung meines YubiKeys reicht.

Auf der Seite des Herstellers Yubico sind Dienste aufgelistet, die YubiKeys unterstützen, allerdings ist mir aufgefallen, dass es schon einige gibt.

Link: Works with YubiKey Catalog | Yubico

#YubiKey, #Sicherheit

@madargon

The problem with #Yubikey OTP's is that it does not have enough space to store all 'secrets', so I am forced to continue using an OTP App alongside the Yubikey, until enough services migrate to #FIDO2

Saw some post about migrating #authenticator apps... and I realised I never used Google app for example. Because when I started configuring #2FA, I already had #Yubikeys :blobcatpeek2:

So I naturally downloaded their Yubico Authenticator to use something I could use, without even thinking. And this was/is my first #OTP app I ever used.
I tried FreeOTP or something similar when it was recommended for some work thing in previous job, but never had a chance to really "feel" that because I changed jobs shortly after.
And now I thought for the first time that my only experience with OTP is when codes aren't device-locked... :blobcatgiggle:
And for me it's absolutely natural state, as things should be.

#Yubikey

@publicvoit @timbray

In your view, what would be the best alternative product to a #Yubikey?

@timbray Besides the things mentioned in the linked article, I don't like it that the Megacorps added functionality to give away #Passkey access to other people which enables all sorts of #phishing attacks while everybody seems to insist that #Passkeys can not be stolen.

I can provide some whitepapers about that notion as well.

If you take this serious, you need to use hardware #FIDO2 tokens which still prevent extraction of the secret.

Don't buy #Yubikey since they don't allow firmware updates in case their product is insecure which already happened.

Ab heute werde ich dann mal die YubiKeys, die ich mir bestellt hatte, im Alltag testen. Eingerichtet habe ich sie mittlerweile bei so gut wie allen Accounts, die diese Hardware-Sicherheitsschlüssel unterstützen.

Warum gleich zwei dieser Sticks, werden sich sicher einige fragen... es wird empfohlen, sich "minnigens" 2 Stück zuzulegen, falls einer mal verloren geht oder defekt ist. So kann man immer noch den Backup-Schlüssel verwenden. Evtl. rüste ich später noch mal nach, deswegen habe ich die YubiKeys auch nicht mit "1" und "2" beschriftet, sondern der Backup-Key ist mit "B" für "Backup" beschriftet.

#Sicherheit, #Yubikey