On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari <war...@kumari.net> wrote: > Well, yes and no. With a Yubiikey the attacker has to be local to > physically touch the button[0] - with just an SSH key, anyone who gets > access to the machine can take my key and use it. This puts it in the > "something you have" (not something you are) camp.
Hi Warren, They're both "something you have" factors. The yubi key proves possession better than the ssh key just like a long password proves what-you-know better than a 4-digit PIN. But the ssh key and the yubi key are still part of the same authentication factor. > Not really -- if an attacker steals my laptop, they don't have the > yubikey (unless I store it in the USB port). You make a habit of removing your yubi key from the laptop when nature calls? No you don't. > If they *do* steal both, > they can bruteforce the SSH passphrase, but after 5 tries of guessing > the Yubikey PIN it self-destructs. What yubikey are you talking about? I have a password protecting my ssh key but the yubikeys I've used (including the FIPS version) spit out a string of characters when you touch them. No pin. Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/