On Mon, Mar 23, 2020 at 19:25 Owen DeLong <o...@delong.com> wrote: > > I confess I haven’t investigated the implementation details, but is it > possible for one to issue ubikeys > to an employee in a secure way with those features disabled? >
Yes. And changing that setup either requires a separate admin pin or wiping the associated private key data to reconfigure. It depends on which application/mode. FIDO I believe is most inflexible here as it can only be short touch to activate. I don’t use the HID keyboard mode OTP keying app/feature so I’m not terribly familiar with that. It might be that it can be configured limited such that N in X seconds or a replug is required (to circumvent the timer) but I really do not know. If people are really curious I can grab a spare key and check. I use the CCID/smart card type modes. I do know that the touch OTP key feature requires wiping the associated private key data, or having it available to reprogram and change options. They’re a shared secret mode so the yubikey authentication server has those private keys. > > It’s the allowing the employee to make a poor choice not necessarily > desired by the employer thing > that seems to me is the issue in this case. > > > > I agree that this abuse of the UBI Key is more an issue of implementation > than the inherent nature of the > UBIKEY, but the UBIKEY does allow this kind of abuse in ways that other > tokens don’t facilitate. > > > That's like saying that cars are worse than bicycles, because cars > allow you drive into things are a more dangerous speed. I mean, yes, > but …. > > > Cars are more dangerous than bicycles, but everything is a matter of > balancing tradeoffs. > > In this case, I’m not sure the ubikey offers anything over the Secur-ID to > balance that increased > hazard. > > Owen > > > -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler