med-mastodon.com is one of the many independent Mastodon servers you can use to participate in the fediverse.
Medical community on Mastodon

Administered by:

Server stats:

363
active users

#Yubikeys

0 posts0 participants0 posts today
DoesSec 🔐 🪪 ☕ :verified_paw:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@tychotithonus" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>tychotithonus</span></a></span></p><p>It would be great if Yubico made all models available to more than just 500+ companies through their enterprise service like the multi-protocol-bio or this announced version.</p><p>The enhanced YubiKey 5 NFC and YubiKey 5C NFC will offer:<br>- PIN complexity turned on<br>- A minimum PIN length set to 6 characters<br>- alwaysUV (always user verify) turned on<br>- Standard "off-the-shelf" product availability<br>- Unique FIDO AAGUIDs to allow policy enforcement</p><p>This enhanced version will be available exclusively through **YubiKey as a Service** and will be available in July.</p><p><a href="https://infosec.exchange/tags/Yubikeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Yubikeys</span></a> are well on the way to becoming a collector's item ...</p>
David Nelson<p>People who use hardware security keys: Storing them in geographically diverse locations is a wise move but makes it impossible to quickly onboard. How do you keep track of where you’ve registered each key? A checklist in a spreadsheet is obvious but cumbersome. Is there a better way? (Yes I use passkeys extensively but for certain services like email, iCloud, and my password manager, a hardware option is desirable if not mandatory.) <a href="https://mastodon.social/tags/YubiKey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>YubiKey</span></a> <a href="https://mastodon.social/tags/YubiKeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>YubiKeys</span></a> <a href="https://mastodon.social/tags/FIDO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO</span></a> <a href="https://mastodon.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> <a href="https://mastodon.social/tags/FIDOKey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDOKey</span></a> <a href="https://mastodon.social/tags/FIDOKeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDOKeys</span></a> <a href="https://mastodon.social/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a></p>

Re: people complaining about losing access when you have #passkeys and lose your only device…

Well honestly we tried selling people #yubikeys but nobody would buy them. Everyone just complained “why can’t I just use my phone”

#Passkeys are objectively better than passwords in every way, EVEN IF you have them on only one device and then lose that device. They are just as easy to recover as passwords. Yes it’s true that both Google and Apple want you to use their keychain technology but you can go download Bitwarden or 1Password and use that instead.

Or you can still buy Yubikeys, they still work great

Continued thread

I've written a new blog post (9000 words) taking a moderately deep dive into "Threat Modeling YubiKeys and Passkeys"

yawnbox.is/blog/threat-modelin

I greatly welcome feedback as I want to make sure I'm not misrepresenting anything. I want to make it better if it can be improved. I'm happy to be wrong, just please provide details and links!

also, i need a job! if you like my work, maybe you know of something where i'd be a good fit.

yawnbox.isThreat modeling YubiKeys and passkeys

Ok, I'm going to fully admit I'm not entirely sure how to use #YubicoAuthenticator amongst multiple #YubiKeys vs, say, #Authy or #GoogleAuthenticator after a year+ of off/on looking to try it out.

Do I need to store the #TOTP seeds on every #YubiKey I own? And they all take up a slot? If so, I'm glad for most high value ones, I've been saving encrypted copies of the initial secret key in my password manager. Is that the way it works, all stored in the keys, and not some DB on each device?

And this happened... I accidentally left my #yubikey (this one on dogtag chain I always had on me) in friend's house :blobcatsad2:
Now I really feel naked or like I sudenly lost my weapon or my "magic powers". Have to take it back soon because it's very uncomfortable even if technically I have enough backup configurations to use other #yubikeys to access my things (all my devices/accounts are strongly dependent on yubikeys so I made good backups from the beginning).

Some time ago I watched low budget horror movie. Not very mainstream one, I don't even remember title yet. Main character involuntarily became kind of undead and had to wear some magic #amulet. When she was taking it off, she was closer to afterlife dimension and eventually really dead, even if in reversible way.

Currently I feel in similar way after 5 years of wearing one of my #Yubikeys on my neck on dogtag chain. I have it on me really most of time, also when I sleep (not when I wash myself, it would be inconvenient even if it's waterproof). Sometimes I take it off, even for few hours (very rarely) but then it is always few meters from me. And then I feel like I lose connection with some "higher force", source of my "special powers" (or source of my identity? my soul?) or something and it's rather uncomfortable.

So it seems like cryptography and privacy obsession turned me into a #lich :blobcatghost: 💀🧟‍♀️

How to Get Around a Google Hardware Security Key Bug
~~
Having problems using #Yubikeys as result second factor (or at all) in a new #Google Workspace since Google added passwordless in beta. I hope this is fixed soon or I figure out what I’m doing wrong.
medium.com/cloud-security/how-

Cloud Security · How to Get Around a Google Hardware Security Key BugBy Teri Radichel

Short cautionary story

I wanted to synchronize #OTP on my all #yubikeys - now five because of circumstances, I wanted to have every one replaceable with each other and don't wonder which one I must use.
For people not familiar with them, OTP codes are stored on #yubikey itself, apps are interfaces to interact with it. So they could be used on any device with any version of #YubicoAuthenticator app. I mostly use terminal version on my Linux desktop. And during new account/credential creation user usually writes all in one command, together with seed code.

It was some time since I created something, so I tried to check correct command syntax in #shell #history. And suddenly I realized I have all seed codes stored in history, ready to reuse.

For me it was convenient then, I didn't have to register in all services again, simply copy-paste old commands for new keys. But everyone could see how it could be terrible for #security :blobcat_ohnoes:

Everyone with access to my laptop and terminal could also use them. Of course I use #LUKS so my shell history (or other data on my laptop) isn't easily available :blobCat_evil:

So, be careful what you could have in shell history.
And use full disk #encryption everywhere, just in case, you could forget many small things in various places!

If you've ever wondered about #passkeys and #yubikeys, this was a very in depth look.

yubico.com/blog/a-yubico-faq-a

I see lots of benefits, but also some risk. The rush to make logins easier, seems to be lowering the security bar. Storing passkeys in #1Password makes me a bit nervous because it seems to rely on a single authentication. Just using a password out of 1PW still needed 2FA if I didn't mark the device trusted. For some services, I never store trust. 2FA always. #InfoSec

Yubico · A Yubico FAQ about passkeys - YubicoDelve into Yubico's comprehensive guide about passkeys, a term encapsulating FIDO/WebAuthn credentials that offer a secure, passwordless experience.