On Sunday, February 18, 2018 at 3:51:00 AM UTC+1, William Bormann wrote:
> On a lark, I purchased a Yubico FIDO U2F Security key.  It's an inexpensive 
> USB token that can be used for two-factor authentication for Gmail and 
> Facebook, among others.  I'd like to use it on my Qubes RC4 system.
> I've read the USB documentation, but thought I'd see if somebody else running 
> Qubes has managed to get this working as advertised on their system. The 
> current path that seems most promising is to bring up SYS-USB, but I have 
> some concerns about doing this since my keyboard and mouse are both usb 
> devices.
> Can anyone reply with a "hand waving" set of steps I should follow?  I would 
> greatly appreciate hearing your solution.

I did not yet get around to testing it out for locking down Qubes my self just 
yet, but there should be quite a lot of people who managed to. Consider that 
there are at least a good amount of people wanting this, and generally you see 
people posting about whether to do it or not (like your post), over people who 
somehow messed it up and are locked out of their system. 

>From that, I'd deduce that it is probably safe. But you may want to do backup 
>first, at least of your most important AppVM's, just in case something should 
>go south. You never know, whatever can go wrong, will eventually go wrong, as 
>the saying goes.

Also for what purposes? LUKS disk decryption? Qubes password login/logout when 
insert/retracting the Yubi-key? Third-party services in AppVM's?

But having said that, I doubt it's a big issue, especially not if you backup 
first. Also from what I can read, your old password still works, in case the 
key isn't working anymore, or is lost/stolen. This isn't a measure against 
cracking, but a measure against people looking over a persons shoulder, or if 
sitting under a camera, stuff like that where the password can be stolen. 
Although of course, it can also servee as a means to memorize a crazy long 
strong password with high entropy, which makes cracking your drive even harder.

Whatever the case, you should probably have a means to remember a long random 
password with strong entropy, in case you loose your hardware key, for example 
write it on a piece of paper and hide it inside a wall (or something crazy like 
that). You can alaos backup the hardware key's seed, which is recommended in 
case you loose the key and need a new key with same 2nd factoring credentials.

Essentially, it likely more boils down to how you handle your key, and how you 
prevent loosing it, or exposing it to potential attackers in the physical 
world. Just search these google mails, you probably won't find many having 
issues, and instead find people asking questions before they start using it.

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to