On Sunday, February 18, 2018 at 3:51:00 AM UTC+1, William Bormann wrote: > On a lark, I purchased a Yubico FIDO U2F Security key. It's an inexpensive > USB token that can be used for two-factor authentication for Gmail and > Facebook, among others. I'd like to use it on my Qubes RC4 system. > > I've read the USB documentation, but thought I'd see if somebody else running > Qubes has managed to get this working as advertised on their system. The > current path that seems most promising is to bring up SYS-USB, but I have > some concerns about doing this since my keyboard and mouse are both usb > devices. > > Can anyone reply with a "hand waving" set of steps I should follow? I would > greatly appreciate hearing your solution.
I did not yet get around to testing it out for locking down Qubes my self just yet, but there should be quite a lot of people who managed to. Consider that there are at least a good amount of people wanting this, and generally you see people posting about whether to do it or not (like your post), over people who somehow messed it up and are locked out of their system. >From that, I'd deduce that it is probably safe. But you may want to do backup >first, at least of your most important AppVM's, just in case something should >go south. You never know, whatever can go wrong, will eventually go wrong, as >the saying goes. Also for what purposes? LUKS disk decryption? Qubes password login/logout when insert/retracting the Yubi-key? Third-party services in AppVM's? But having said that, I doubt it's a big issue, especially not if you backup first. Also from what I can read, your old password still works, in case the key isn't working anymore, or is lost/stolen. This isn't a measure against cracking, but a measure against people looking over a persons shoulder, or if sitting under a camera, stuff like that where the password can be stolen. Although of course, it can also servee as a means to memorize a crazy long strong password with high entropy, which makes cracking your drive even harder. Whatever the case, you should probably have a means to remember a long random password with strong entropy, in case you loose your hardware key, for example write it on a piece of paper and hide it inside a wall (or something crazy like that). You can alaos backup the hardware key's seed, which is recommended in case you loose the key and need a new key with same 2nd factoring credentials. Essentially, it likely more boils down to how you handle your key, and how you prevent loosing it, or exposing it to potential attackers in the physical world. Just search these google mails, you probably won't find many having issues, and instead find people asking questions before they start using it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to firstname.lastname@example.org. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f73f119e-24ca-4e16-a78d-0128c87ceddb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.