Yubico Forum

Re: [Q?] Using CAPTCHA to protect yubico.com website?

2016-07-05T19:51:50+01:00

Yes, I see that in this instance there is a bootstrap problem with using OTP for captcha.

Also, after the AES key is replaced with a non-factory one, presumably Yubico can no longer vouch that the OTPs were made by hardware? And therefore it's open to flooding from multiple ids, in software.

On U2F, I wondered if it is better value for captcha. Older keys don't have it, so maybe it's not good for OTP AES key replacement. But it can be verified as hardware even by third parties, so maybe it's useful for blog posts?

ChrisHalos wrote:

For some reason, a decent amount of customers receive their YubiKey and decide it's a good idea to wipe the default credential in slot 1 and

If I were doing that, it could be either ineptness or some ill-defined fear of other people's secrets. Or I just needed two slots for a while..? (I'm n00b)

Statistics: Posted by colliewob — Tue Jul 05, 2016 7:51 pm

Re: [Q?] Using CAPTCHA to protect yubico.com website?

2016-07-05T16:06:32+01:00

The AES key upload is only for the Yubico OTP credential you're programming - nothing else. It has nothing to do with U2F.

The CAPTCHA is there because we can't require a Yubico OTP there - since this page is used for uploading the Yubico OTP credential that was just programmed, the service has no knowledge of your credential.

For some reason, a decent amount of customers receive their YubiKey and decide it's a good idea to wipe the default credential in slot 1 and generate a new one (in this use case, the OTP credential has been deleted, so there is no way we could require an OTP here).

Statistics: Posted by ChrisHalos — Tue Jul 05, 2016 4:06 pm

[Q?] Using CAPTCHA to protect yubico.com website?

2016-07-04T20:55:34+01:00

While reading http://www.yubico.com/wp-content/upload ... ide_en.pdf I saw

Quote:

9 b. In the Yubico AES Key Upload window, compare YubiKey prefix with the results from the text editor.
Type the CAPTCHA, and click Upload AES key

I guess the captcha is preventing some service abuse or overload, but... isn't an OTP stronger protection?

Hence a suggestion: a useful captcha-like service asserting that OTP key $foo has issued no more than $n tokens in the last $t hours.

Maybe I have 500 keys on a carousel doing a plug, dab and move cycle... but this limited resource doesn't look farmable or botnettable.

If the assertion service was rogue, it would have a stream of fresh OTPs it could try elsewhere. How big is the risk to the key owner here?

Have I misunderstood the need for registering the key before use? Does attestation (hence u2f not otp) help here? Can the service usefully use one u2f keyhandle against many not previously registered keys?

Statistics: Posted by colliewob — Mon Jul 04, 2016 8:55 pm