Re: Could a stolen Yubikey be used to emit a static passcode

2016-04-29T00:25:06+01:00

The button on the YubiKey is a capacitive touch sensor, not a biometric, so yes, anyone with physical possession of the YubiKey can use the Slot 1 / Slot 2 credentials. This is why we recommend, if you are going to use a static password, to have the YubiKey only provide part of the password (i.e. type in a short password, followed by using the YubiKey to send the remainder of the password).

If you lose your YubiKey and someone finds it, they aren't going to know what the credential goes to, as there is no identifiable information on it. The only part of the YubiKey that requires validation before being able to use a credential is the OATH applet (although a password isn't required here), PIV, and OpenPGP.

Statistics: Posted by ChrisHalos — Fri Apr 29, 2016 12:25 am

Could a stolen Yubikey be used to emit a static passcode?

2016-04-28T03:29:56+01:00

So I setup my Windows 10 Pro computer with Bitlocker according to this: viewtopic.php?f=16&t=1054&p=8575#p8575

It took me a while, but I realized what it was wanting me to do is program a regular password into the Yubikey so it will type in that password whenever I press the button.

But if my Yubikey were stolen, wouldn't the hacker know the password? Seems like very low security

Statistics: Posted by genealogyxie — Thu Apr 28, 2016 3:29 am

Yubico Forum

Re: Could a stolen Yubikey be used to emit a static passcode

Could a stolen Yubikey be used to emit a static passcode?