Re: people complaining about losing access when you have #passkeys and lose your only device…
Well honestly we tried selling people #yubikeys but nobody would buy them. Everyone just complained “why can’t I just use my phone”
#Passkeys are objectively better than passwords in every way, EVEN IF you have them on only one device and then lose that device. They are just as easy to recover as passwords. Yes it’s true that both Google and Apple want you to use their keychain technology but you can go download Bitwarden or 1Password and use that instead.
Or you can still buy Yubikeys, they still work great
I've written a new blog post (9000 words) taking a moderately deep dive into "Threat Modeling YubiKeys and Passkeys"
https://yawnbox.is/blog/threat-modeling-yubikeys-and-passkeys/
I greatly welcome feedback as I want to make sure I'm not misrepresenting anything. I want to make it better if it can be improved. I'm happy to be wrong, just please provide details and links!
also, i need a job! if you like my work, maybe you know of something where i'd be a good fit.
Ok, I'm going to fully admit I'm not entirely sure how to use #YubicoAuthenticator amongst multiple #YubiKeys vs, say, #Authy or #GoogleAuthenticator after a year+ of off/on looking to try it out.
Do I need to store the #TOTP seeds on every #YubiKey I own? And they all take up a slot? If so, I'm glad for most high value ones, I've been saving encrypted copies of the initial secret key in my password manager. Is that the way it works, all stored in the keys, and not some DB on each device?
This is unfortunate because I received a pair of these recently that I've been meaning to take out of the package. I guess they won't be issuing recalls?
New #Yubikeys. Needed?
Jan Wildeboer:
https://social.wildeboer.net/@jwildeboer/113075481869359895
Edit: It's not that bad. ed25519 is not affected.
#YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel
YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel.
This is the last thing we need right now!
YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel
Sembla que han descobert una “vulnerabilitat” a les #Yubikeys, ja que són “clonables”.
#Ciberseguretat #SeguretatDigital #Tecnologia #Autenticació #Privacitat #Hacking #SeguretatInformàtica
Com diu @rysiek, l'atac requereix:
- Obrir físicament la YubiKey
- Accés físic a la YubiKey “mentre s'autentica”
- Equips de laboratori d'electrònica no trivials
... Bàsicament, en tots els escenaris possibles, estàs més segur utilitzant una #YubiKey que no utilitzar-ne cap.
Finally buying a pair of #yubikeys.
This things are expensive af tho.
And this happened... I accidentally left my #yubikey (this one on dogtag chain I always had on me) in friend's house
Now I really feel naked or like I sudenly lost my weapon or my "magic powers". Have to take it back soon because it's very uncomfortable even if technically I have enough backup configurations to use other #yubikeys to access my things (all my devices/accounts are strongly dependent on yubikeys so I made good backups from the beginning).
Some time ago I watched low budget horror movie. Not very mainstream one, I don't even remember title yet. Main character involuntarily became kind of undead and had to wear some magic #amulet. When she was taking it off, she was closer to afterlife dimension and eventually really dead, even if in reversible way.
Currently I feel in similar way after 5 years of wearing one of my #Yubikeys on my neck on dogtag chain. I have it on me really most of time, also when I sleep (not when I wash myself, it would be inconvenient even if it's waterproof). Sometimes I take it off, even for few hours (very rarely) but then it is always few meters from me. And then I feel like I lose connection with some "higher force", source of my "special powers" (or source of my identity? my soul?) or something and it's rather uncomfortable.
So it seems like cryptography and privacy obsession turned me into a #lich
here's a taste of a blog post i'm going to publish soon, trying to bring about some simplification and understanding around passkeys compared to YubiKeys
Welcome changes to YubiKey hardware and software (firmware version 5.7 train) announced (including expanded storage!) and:
How to Get Around a Google Hardware Security Key Bug
~~
Having problems using #Yubikeys as result second factor (or at all) in a new #Google Workspace since Google added passwordless in beta. I hope this is fixed soon or I figure out what I’m doing wrong.
https://medium.com/cloud-security/how-to-get-around-a-google-hardware-security-key-bug-ed6ae75d01c8
Short cautionary story
I wanted to synchronize #OTP on my all #yubikeys - now five because of circumstances, I wanted to have every one replaceable with each other and don't wonder which one I must use.
For people not familiar with them, OTP codes are stored on #yubikey itself, apps are interfaces to interact with it. So they could be used on any device with any version of #YubicoAuthenticator app. I mostly use terminal version on my Linux desktop. And during new account/credential creation user usually writes all in one command, together with seed code.
It was some time since I created something, so I tried to check correct command syntax in #shell #history. And suddenly I realized I have all seed codes stored in history, ready to reuse.
For me it was convenient then, I didn't have to register in all services again, simply copy-paste old commands for new keys. But everyone could see how it could be terrible for #security
Everyone with access to my laptop and terminal could also use them. Of course I use #LUKS so my shell history (or other data on my laptop) isn't easily available
So, be careful what you could have in shell history.
And use full disk #encryption everywhere, just in case, you could forget many small things in various places!
@arichtman I setup @defguard which enables me to have easy #wireguard #vpn and ssh key auth with keys stored and provisioned with #yubikeys from nice UI
If you've ever wondered about #passkeys and #yubikeys, this was a very in depth look.
https://www.yubico.com/blog/a-yubico-faq-about-passkeys/
I see lots of benefits, but also some risk. The rush to make logins easier, seems to be lowering the security bar. Storing passkeys in #1Password makes me a bit nervous because it seems to rely on a single authentication. Just using a password out of 1PW still needed 2FA if I didn't mark the device trusted. For some services, I never store trust. 2FA always. #InfoSec