I don't see SKEY style OTP lists as inherently bad. "its how you do it" which concerns me, not that it is done.
-G On Tue, Mar 24, 2020 at 9:33 AM Christopher Morrow <morrowc.li...@gmail.com> wrote: > > On Mon, Mar 23, 2020 at 7:00 PM Michael Thomas <m...@mtcc.com> wrote: > > > > On 3/23/20 3:53 PM, Sabri Berisha wrote: > > > > Hi, > > > > In my experience, yubikeys are not very secure. I know of someone in my > > team who would generate a few hundred tokens during a meeting and save the > > output in a text file. Then they'd have a small python script which was > > triggered by a hotkey on my macbook to push "keyboard" input. They did this > > because the org they were working for would make you use yubikey auth for > > pretty much everything, including updating a simple internal Jira ticket. > > > > this is not: "yubikey is bad" as much as: "The user using the yubikey is bad" > Admittedly perhaps: "every time new token" sucks, and that's what (I > think michael thomas is saying below), but certainly the yubikey could > have been used for TOTP instead of HOTP and the user in question would > have been out of luck, right? :) > > Almost all security 'features' are a trade-off between: "get stuff > done" and "get stuff done with an extra hop", making the 'extra hop' > as simple and natural as possible makes people less likely to do dumb > things like: > 1) pregen a crapload of tokens, store them on their probably > compromised laptop... > 2) aim a webcam at their rsa token and watch the change remotely > 3) hot-dog and sipping-bird toy to touch the thingy on their yubikey > token every X seconds... > > > > > One of the things that got lost in the Webauthn stuff is that passwords per > > se are not bad. It's passwords being sent over the wire. In combination > > with reuse, that is the actual problem. Webauthn supposedly allows use of > > passwords to unlock a local credential store, but it is so heavily focused > > dongles that it's really hard to figure out for a normal website that just > > want to get rid of the burden of remote passwords. > > > > Mike
