> On Mar 23, 2020, at 17:24 , Warren Kumari <war...@kumari.net> wrote: > > On Mon, Mar 23, 2020 at 8:03 PM Owen DeLong <o...@delong.com > <mailto:o...@delong.com>> wrote: >> >> >> >>> On Mar 23, 2020, at 16:50 , Warren Kumari <war...@kumari.net> wrote: >>> >>> On Mon, Mar 23, 2020 at 6:53 PM Sabri Berisha <sa...@cluecentral.net> wrote: >>>> >>>> Hi, >>>> >>>> In my experience, yubikeys are not very secure. I know of someone in my >>>> team who would generate a few hundred tokens during a meeting and save the >>>> output in a text file. Then they'd have a small python script which was >>>> triggered by a hotkey on my macbook to push "keyboard" input. They did >>>> this because the org they were working for would make you use yubikey auth >>>> for pretty much everything, including updating a simple internal Jira >>>> ticket. >>> >>> By that argument, SecureID (and other LCD tokens) are also really >>> insecure. When I worked at AOL we had to use them for almost >>> everything - a bunch of people got together and put their secureIDs in >>> a grid under a webcam. That way they didn't need to carry them with >>> them - when they needed a token they would open the webcam page, and >>> know that theirs was third down, and fourth across…. >> >> Not actually, no… >> >> SecurID and the others of its ilk have a safety feature in that the number >> doesn’t change that often. >> >> It turns out to be awkward and time-consuming to do what is being done with >> the UBIKEY. > > Not if you run it in TOTP mode. Yubikeys support many options - if you > choose to use a weak solution, well that's your choice... > I guess you could ask them nicely to make a version without the > features you don't want to use - or you could just not *use* the > features you don't want to use…. >
I confess I haven’t investigated the implementation details, but is it possible for one to issue ubikeys to an employee in a secure way with those features disabled? It’s the allowing the employee to make a poor choice not necessarily desired by the employer thing that seems to me is the issue in this case. > >> >> I agree that this abuse of the UBI Key is more an issue of implementation >> than the inherent nature of the >> UBIKEY, but the UBIKEY does allow this kind of abuse in ways that other >> tokens don’t facilitate. > > That's like saying that cars are worse than bicycles, because cars > allow you drive into things are a more dangerous speed. I mean, yes, > but …. Cars are more dangerous than bicycles, but everything is a matter of balancing tradeoffs. In this case, I’m not sure the ubikey offers anything over the Secur-ID to balance that increased hazard. Owen