On Sunday, February 18, 2018 at 3:17:39 PM UTC-5, Yuraeitha wrote: > On Sunday, February 18, 2018 at 3:51:00 AM UTC+1, William Bormann wrote: > > On a lark, I purchased a Yubico FIDO U2F Security key. It's an inexpensive > > USB token that can be used for two-factor authentication for Gmail and > > Facebook, among others. I'd like to use it on my Qubes RC4 system. > > > > I've read the USB documentation, but thought I'd see if somebody else > > running Qubes has managed to get this working as advertised on their > > system. The current path that seems most promising is to bring up SYS-USB, > > but I have some concerns about doing this since my keyboard and mouse are > > both usb devices. > > > > Can anyone reply with a "hand waving" set of steps I should follow? I > > would greatly appreciate hearing your solution. > > I did not yet get around to testing it out for locking down Qubes my self > just yet, but there should be quite a lot of people who managed to. Consider > that there are at least a good amount of people wanting this, and generally > you see people posting about whether to do it or not (like your post), over > people who somehow messed it up and are locked out of their system. > > From that, I'd deduce that it is probably safe. But you may want to do backup > first, at least of your most important AppVM's, just in case something should > go south. You never know, whatever can go wrong, will eventually go wrong, as > the saying goes. > > Also for what purposes? LUKS disk decryption? Qubes password login/logout > when insert/retracting the Yubi-key? Third-party services in AppVM's? > > But having said that, I doubt it's a big issue, especially not if you backup > first. Also from what I can read, your old password still works, in case the > key isn't working anymore, or is lost/stolen. This isn't a measure against > cracking, but a measure against people looking over a persons shoulder, or if > sitting under a camera, stuff like that where the password can be stolen. > Although of course, it can also servee as a means to memorize a crazy long > strong password with high entropy, which makes cracking your drive even > harder. > > Whatever the case, you should probably have a means to remember a long random > password with strong entropy, in case you loose your hardware key, for > example write it on a piece of paper and hide it inside a wall (or something > crazy like that). You can alaos backup the hardware key's seed, which is > recommended in case you loose the key and need a new key with same 2nd > factoring credentials. > > Essentially, it likely more boils down to how you handle your key, and how > you prevent loosing it, or exposing it to potential attackers in the physical > world. Just search these google mails, you probably won't find many having > issues, and instead find people asking questions before they start using it
I do not think he wants this for qubes luks login or even Qubes user login but for 2 factor auth pin such as google auth or better yet oathtool. This should be much easier. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0fcdabba-283b-471c-95ea-9d870ea1f0a0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
