Yubico Forum

Request for proposal, suggestions and good ideas. • [Community] - Forum going read only. New KDB on its way.

2018-01-30T09:26:55+01:00

For the security and experience of our user community, we have decided to set the forum as read-only and wipe all user account information. All historical posts and announcements will be archived and remain publicly searchable.

In 2018, we will be publishing a searchable knowledge-base system that allows the community to provide direct feedback on articles and make suggestions that will be reviewed by Yubico staff. We sincerely appreciate the participation of our user forum over the years and hope to continue serving your for years to come.

Statistics: Posted by Tom2 — Tue Jan 30, 2018 9:26 am

Request for proposal, suggestions and good ideas. • Ability to configure the USB enumeration order

2017-10-02T13:21:30+01:00

Would be good to be able to configure USB enumeration order.
So it for example sends the CCID descriptor or U2F descriptor first, before sending the OTP HID device.

To reproduct the problem, try downloading the following app:
https://play.google.com/store/apps/deta ... yzer&hl=sv

Connect the Yubi with a OTG adapter or in a android device with a USB-A/USB-C port.

If you then have OTP+CCID+U2F, or CCID+OTP, or CCID+U2F configured, it won't work.
Because its apparently trying to send CCID data to the OTP/U2F device.

But if you disable OTP and U2F in Yubikey Manager, it will work with CCID.
Which tells us that if the CCID could be sent first, it would always work.

Best would be to have in the YK manager, a dropdown for each function, so you can select "First, Second, Third, Disabled" for each function. (And of course validation so you cannot select First/Second/Third for more than one function each)

Statistics: Posted by sebastiannielsen — Mon Oct 02, 2017 1:21 pm

Request for proposal, suggestions and good ideas. • Please allow to un-remember password in Yubico Authenticator

2017-09-27T14:03:41+01:00

I set it to remember my password and nothing I did would make it forget, so that I would be secure again. Every time I would plug it in at work all my OTP's for my various services were all right there, yet the password was asked for on other computers. In the end I resorted to scouring the system. app data local, roaming, program data, temp, registry etc. Turns out it is a registry entry. It was a major pain which took 15 minutes of my day to figure out how to techie my way into getting it to forget my password.

Please fix this, this should have been thought out prior to release.

Statistics: Posted by techwg — Wed Sep 27, 2017 2:03 pm

Request for proposal, suggestions and good ideas. • Re: FIDO U2F Security Key with NFC

2017-09-09T01:00:06+01:00

no current plans

Statistics: Posted by ChrisHalos — Sat Sep 09, 2017 1:00 am

Request for proposal, suggestions and good ideas. • FIDO U2F Security Key with NFC

2017-09-07T17:36:05+01:00

Hello

I've got idea for new Yubikey hardware. Blue FIDO U2F Security Key with added NFC.
When someone need U2F with NFC they're need to buy expensive Yubikey NEO. What about new blue Yubikey with NFC? For examle for 25$?

Have you got any plan Yubico?

Statistics: Posted by rmeka — Thu Sep 07, 2017 5:36 pm

Request for proposal, suggestions and good ideas. • Re: Improve documentation

2017-08-15T22:24:49+01:00

This thread is worthy of a bump; getting a self-hosted OTP validation server working in a test environment has been challenging, because the Yubico documentation for the various services isn't linked together properly, or for example, recommends the use of a YubiHSM at the start of a document, and then proceeds to setup an environment *without a YubiHSM*...

https://developers.yubico.com/OTP/Guide ... ation.html

"You can optionally use a YubiHSM USB device to keep these secret values secure, even in the event of a KSM server becoming compromised. Due to the increased safety gained by using a YubiHSM, this is the approach we recommend."

"Now, as we will not be using a YubiHSM for in this guide, we need to create a master key for encrypting Now we need to create a master key for decrypting Yubico OTP secrets with, and since we will not be using a YubiHSM in this guide, we do so by creating a plaintext file:" (plus typo: 'encrypting Now we need to')

Argh.

Another one might be the pam_yubico man page; further syntax examples of some of the attributes would be useful, especially when dealing with LDAP lookups. yubi_attr, yubi_attr_prefix come to mind.

https://developers.yubico.com/yubico-pa ... ico.8.html

A sample attribute definition / objectClass might also be handy. This person has published one that seems reasonable, but what does Yubico recommend these days?

http://logix.cz/michal/devel/yubikey-ldap/

I wonder if converting the Yubico documentation to a wiki format would be useful, so folks could at least document success / failure somewhere useful?

Statistics: Posted by rgiles — Tue Aug 15, 2017 10:24 pm

Request for proposal, suggestions and good ideas. • Re: SUGGESTION: provide means for immediate destruction

2017-07-16T09:40:01+01:00

Standing in line to yet another not-always-friendly border control I thought I'd go after a separate mini device for wiping my yubikey. Imagine a little half-a-match-box-size dongle with sort of power source (battery, high voltage condenser etc.) and a control (button, dial, biometrics?) with USB port or full youbikey body enclosure. think about it as electroshocker for youbikey (and many other dongles too I guess)

When I expect threat level escalation, I can place my key into such box in advance. Under certain conditions I'll be able to burn the keys. I'm sure if well engineered, it can be very miniature and handy. It can be equipped with all sorts of controls like well crafted button, biomentrics, PIN entry pad, etc. etc. It could lock youbikey inside (requires full body insertion) and release it after right PIN is dialed. After a couple of failed attempts, or upon a under-pressure PIN, or after certain time elapsed, it would burn the key. Plenty of scenarios... Not ideal of cause, but better than nothing.

Again, it's a separate accessory, not a new battery and button embedded youbikey. It's probably not for every-day carry in a pocket. Depending on individual paranoia level, it can rest in an office desk, in every-day back pack, or thrown into a suite case until international traveling.

Does anyone know if such thing exists and can be purchased? May be Yubico would find it commercially feasible to design and start selling this accessory? If not, I think I'll go to my old garage and assemble one... so any comments would be appreciated

Cheers!

Statistics: Posted by owl — Sun Jul 16, 2017 9:40 am

Request for proposal, suggestions and good ideas. • Re: New User Experience: Consolidate Information and Utiliti

2017-04-29T23:04:53+01:00

Thanks, I'm glad to read that you are committed to improving your customer experience. I have two more minor suggestions and a couple of technical concerns regarding your forum. I hope you find this information useful:

My suggestions are:

Please consider adding a link to the forum in your main website's "Support" drop-down menu. Currently, the only way I have found to access this forum is scrolling all the way to the bottom of a given page on the main site and clicking the small font link in the page footer. Perhaps this forum is not intended for customer support but I suspect that many people would find answers here, and it could only serve to decrease your workload and develop the Yubico community.
I realise this may be inconvenient but it would be very useful if forum users had a more organised list of threads they have viewed, authored, or participated in. Currently, the only such list I have found is the "manage subscriptions" list, which is not subdivided in any apparent way.

My technical concerns are:

My browser seems to log out my account with a very aggressive timeout. I have not found any way to change this setting without selecting the option to "log me on automatically".
It is unclear whether the option to "hide my online status for this session" applies to all future sessions when logged in automatically. I prefer to hide this sort of information, but it is a terrible nuisance to keep logging in every two minutes.

No need to reply, please just consider this customer feedback.

Statistics: Posted by PenguinGuru — Sat Apr 29, 2017 11:04 pm

Request for proposal, suggestions and good ideas. • PIV Certificate Renewal Process

2017-04-22T18:46:43+01:00

The YubiKey PIV currently does not support self-service renewal of existing certificates against a Windows Server CA (signing the request with the old certificate). This makes the PIV functionality hardly usable in corporate environments, e.g. for smart card logon.
Although the built-in Windows GUI (certmgr.msc) has this functionality, it sees YubiKey PIV as read-only, so this functionality cannot be used.

Statistics: Posted by michaelg — Sat Apr 22, 2017 6:46 pm

Request for proposal, suggestions and good ideas. • Key Attestation and Microsoft CA

2017-04-22T17:02:44+01:00

Has anyone tested the PIV key attestation with Windows Server CA? Is this scenario supported or is it at least on the roadmap?

I imported the respective certificates to the "Endorsement Key Intermediate Certification Authorities" and "Endorsement Key Trusted Root Certification Authorities" certificate stores and created a certificate template that requires hardware certificate key attestation, but it did not work for me when I tried to submit a request through the YubiKey PIV Manager.

Thanks.

Statistics: Posted by michaelg — Sat Apr 22, 2017 5:02 pm

Request for proposal, suggestions and good ideas. • Re: How can you genarate OTPs offline by YubiKey in Debian?

2017-04-21T22:02:17+01:00

OATH-HOTP is counter based and can be programmed in the slots used with button press
https://www.yubico.com/products/service ... ools/oath/
https://www.yubico.com/wp-content/uploa ... H-HOTP.pdf

OATH-TOTP is time-based and requires a companion app to calculate the codes (Yubico Authenticator)
https://www.yubico.com/wp-content/uploa ... tor_en.pdf

Yubico OTP is based on multiple sources (including two internal two counters), but requires connection to the YubiCloud to verify
https://developers.yubico.com/OTP/OTPs_Explained.html

OpenID is also supported
https://openid.yubico.com/server.php

Full list of what the YubiKey supports:
-Yubico OTP
-U2F
-HMAC-SHA1 Challenge-Response
-OATH-TOTP
-OATH-HOTP
-PIV
-OpenPGP
-Static Password

Statistics: Posted by ChrisHalos — Fri Apr 21, 2017 10:02 pm

Request for proposal, suggestions and good ideas. • How can you genarate OTPs offline by YubiKey in Debian?

2017-04-21T20:37:54+01:00

I want to genarate OTPs by YubiKey. I am not sure which type of OTP is supported in Linux. I would like to have some strong simple method, so time-based would be great but, according to the following thread not sensible with YubiKey because there is no clock in YubiKey. However, the argument does not sound so valid for me. The Yubico support states that sequence-based OTPs are not possible, without providing an argument (ticket #00019568). Summary of OTP types

- time-based (TOTP) - no clock in YubiKey so should not be possible
- sequence-based OTP - not possible according to Yubico support

Security keys: YubiKey 4, YubiKey Neo
OS: Linux Debian 8.7
Hardware: Asus Zenbook UX303UB
Related thread: How to generate OTP codes offline by Security Key in Debian?

Statistics: Posted by leoleopold — Fri Apr 21, 2017 8:37 pm

Request for proposal, suggestions and good ideas. • Credit Cards?

2017-03-25T15:10:07+01:00

Team Yubico,

I suggest that you approach a major credit card vendor and propose the following:

1. Integrate the Yubico key with their online system. Should be similar to Gmail.
2. Market the card to tech people with a promotion: free Yubico key if certain conditions are met.

Right now, although some banks are FIDO members, no one is using their Yubikeys to log into their bank accounts.

If you want more users to adopt, you need to get more banks involved.

Statistics: Posted by bannon — Sat Mar 25, 2017 3:10 pm

Request for proposal, suggestions and good ideas. • Re: New User Experience: Consolidate Information and Utiliti

2017-03-06T14:45:52+01:00

Thank you for your feedback, we'll pass it through.

Statistics: Posted by Tom2 — Mon Mar 06, 2017 2:45 pm

Request for proposal, suggestions and good ideas. • New User Experience: Consolidate Information and Utilities

2017-02-28T17:38:38+01:00

I'm sure this has been considered before but I just wanted to put my thoughts out and try to improve the user experience.

I bought a Neo some time ago and it has taken me quite a while to figure out how my Neo works and become comfortable using it. This is largely because I just wasn't familiar with the technology when I first bought it, but the administration workflow could definitely be improved without compromising any other interests. I configured my key on Windows with GUI but I assume (read "hope") the utilities are the same, or at least similar, on other platforms and that configuration is fully script-able from CLI.

Three problems:

I think that the administration logic for the Yubikey Neo might actually be fairly intuitive for people who are already familiar with the technology and security concepts but I was not one of those people. After reading through the "start" page, skimming my product's user manual, and reading at least a dozen tutorials and descriptions for specific use cases, I was still finding new information about my product. How the slots work, the different modes, the relationship between PIV and CCID, how NFC works, radius integration, etc... It seems as though all of this information is organised into a few logical groups, like the site's "developers" section as contrasted to the "knowledge base" articles. I had to read through practically everything just to figure out how the Yubikey works in general. This isn't a huge problem but something to be aware of as more information is added and the website expands. I didn't even know there was a user manual until I spent days looking through old knowledge base articles...
The main problem I encountered was actually what cleared everything up for me-- the software utilities. Looking through the software interfaces really helped solidify the information for me, like a hands-on tutorial, but this was at least a week after I actually got my Yubikey. Admittedly, I didn't have a whole lot of time to figure things out but the problem is that I couldn't find all of the software! Currently, I have installed the following...
- YubiKey Manager 0.3.0
- YubiKey Personalization GUI 3.1.24
- YubiOath Desktop 3.1.0
- YubiKey PIV Manager 1.4.1
- Gpg4win 2.3.3
I know there is more software that I either could not find or did not need. I am not sure that I have the most recent versions of any of the Yubico software. All of this software came from different places (i.e. the links were on unrelated pages) and I learned that it existed from different places (mostly knowledge base articles, developer section info, and third-party blogs) while trying to figure everything out. This is obviously a mess. I do appreciate the modular nature of having separate applications/utilities but there should be a central registry so people know (1) what's available, (2) what versions they should be using, (3) what the signatures/checksums should be, and (4) what exactly these programs can/cannot do.
The logic inside of these programs is also problematic. They are quite simple and seem to include all the appropriate features but I believe there are two specific problems in terms of user experience:
- The programs don't explain the settings well enough for those of us who aren't security experts. The tutorials on the Yubico website are nice and clear so this is probably fine for now but please consider adding tool-tips or a thin element at the bottom of the GUI to display tool info on cursor hover. There are currently informational buttons (only) in the Personalization Tool but they do not provide enough information to explain the significance of their subjects, they seem to be more targeted toward explaining the specific cryptographic capabilities of the YubiKey. I definitely recommend expanding this information to account for less technical users since it wouldn't be difficult and it wouldn't get in the way. Put the short, technical description up front and then begin a more general description for users like myself. People who understand the basics wouldn't need to read it.
- Some of the programs allow for passwords, PIN, and PUK, as well as management credentials. I have figured out what all of these do and how they differ but it is very unintuitive to new users. Some of these fields do not give any explanation and require web research, many of these fields only apply within the scope of their specific software utility and have no relation to the YubiKey itself or any of the other utility programs. This was not a problem for me but it could easily cause problems for users who do not take the time to read everything carefully and document their configurations thoroughly. I imagine the current state of a result of software being added to support new features, which might not be available on all YubiKey models. Again, simple tool-tips or informational buttons would definitely improve the situation.

Again, this was just my experience but I hope my feedback is useful. I would like to see Yubico expand and proliferate secure computing across the consumer and small business markets. Questions and comments welcome.

Statistics: Posted by PenguinGuru — Tue Feb 28, 2017 5:38 pm