How about a new technology I have heard about called sqrl. See https://sqrl.grc.com for more information. It overcomes a lot of the problems discussed here.
On Mon, 23 Mar 2020 22:22:18 -0400, Michael Loftis wrote: > > [1 <text/plain; UTF-8 (quoted-printable)>] > On Mon, Mar 23, 2020 at 20:08 Michael Loftis <mlof...@wgops.com> wrote: > > > > > > > On Mon, Mar 23, 2020 at 18:50 William Herrin <b...@herrin.us> wrote: > > > >> On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari <war...@kumari.net> wrote: > >> > Well, yes and no. With a Yubiikey the attacker has to be local to > >> > physically touch the button[0] - with just an SSH key, anyone who gets > >> > access to the machine can take my key and use it. This puts it in the > >> > "something you have" (not something you are) camp. > >> > >> Hi Warren, > >> > >> They're both "something you have" factors. The yubi key proves > >> possession better than the ssh key just like a long password proves > >> what-you-know better than a 4-digit PIN. But the ssh key and the yubi > >> key are still part of the same authentication factor. > >> > >> > >> > Not really -- if an attacker steals my laptop, they don't have the > >> > yubikey (unless I store it in the USB port). > >> > >> You make a habit of removing your yubi key from the laptop when nature > >> calls? No you don't. > >> > >> > >> > If they *do* steal both, > >> > they can bruteforce the SSH passphrase, but after 5 tries of guessing > >> > the Yubikey PIN it self-destructs. > >> > >> What yubikey are you talking about? I have a password protecting my > >> ssh key but the yubikeys I've used (including the FIPS version) spit > >> out a string of characters when you touch them. No pin. > >> > > > > The yubikey does many things depending on how it’s configured. None of > > mine use the touch to spit out OTP mode, that is the factory mode though > > yes. Other modes can be password protected (it uses the PIN nomenclature > > which is confusing, it definitely accepts ASCII and nay even take binary > > data as a PIN depending on mode of operation) ― it can present as industry > > standard smart card ( I have one with a pin/password for code signing in > > Visual Studio f/ex...along with a backup kept locked elsewhere) > > > > > Replying to myself to clarify a bit... the PKI/SSL private keys are on the > Yubikey, password protected, signing is accomplished by VS passing the bits > to be signed to the smart card application on the yubikey, which requires a > password to enable/unlock. On the yubikey Depending on configuration this > is a just once operation typically. So each signing op requires a password > entry. But it could be configured diffferebtly. By only keeping the private > keys on the yubikey it’s something you have (the yubikey) and something you > know (the password)... the yubikey (barring software bugs obviously) will > not expose the private key, it only does the signing op. > > That same yubikey has a separate app and trust store in OpenGPG mode, which > does signing for ssh pubkey auth, with a different private key. Same key > also does FIDO, another application with another key store. > > The same key doing all that could also have a “long touch” to spit out an > OTP. > > > > >> Regards, > >> Bill Herrin > >> > >> > >> -- > >> William Herrin > >> b...@herrin.us > >> https://bill.herrin.us/ > >> > > -- > > "Genius might be described as a supreme capacity for getting its possessors > into trouble of all kinds." > -- Samuel Butler > [2 <text/html; UTF-8 (quoted-printable)>] -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com