Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Oct 17, 2017 12:27 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Thu Jan 08, 2009 5:04 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
Posting on the behalf of Vlastimil Ovčáčík:

Hello,

I would like to use Yubikey to encrypt/decrypt my saved passwords in Firefox 3.0 or higher. The passwords are protected by Master password. I know that Yubikey itself cannot provide the Master password, but Yubikey could authenticate me (me as possible Yubikey holder) on a server - and the server will provide the Master password...

Use case:
    a) there is a user who have yubikey, user has Firefox 3.0, Firefox has installed extension (client), on the internet is a server
    b) user starts Firefox and he wants to use one of the encrypted password saved in Firefox
    (note: to decrypt the password we need Master password, the Master password will be provided by server)
    c) the extension will ask user to provide OTP (by using yubikey)
    d) the extension will send OTP to server (HTTPS)
    e) server contacts Yubico Authentication Server (sends OTP)
    f) Yubico Authentication Server send to server user ID and confirmation of OTP, otherwise (bad OTP) the process ends
    g) server according to user ID and confirmation of OTP will send appropriate Master password to the extension (Firefox) (HTTPS)
    h) extension now can decrypt saved passwords in Firefox 3.0

The Firefox extension implementation:
    1) The extension can be implemented as whole new Password manager (see this) or
    2) just use API of standard Password manager.

Server implementation:
The server just have to securely store Master password and provide appropriate Master password to authenticated user.
    1) Maybe an OpenID server with yubikey authentication or
    2) Something like OpenSSO with yubikey authentication or
    3) Whole new implementation for this special purpose.

As you see I am not expert :-). I am looking forward for your comments. I would be very happy if we would find a secure way and at least thus flexible solution for storing passwords in Firefox. I believe that not only for me this would be killer app for Yubikey.

Regards
Vlastimil Ovčáčík


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Jan 08, 2009 5:05 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
Thanks for posting this brilliant idea! The use case provided by you is excellent. YubiKey authentication can be implemented in Firefox password manager to provide master password as proposed by you.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 16, 2009 4:49 pm 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
I really like the idea.

If you want to strengthen this, you could ask the user to provide a local password as well, and the "password" recieved from the server would have to be decrypted using this password before being usable as the "master password" for the password store. This way, not even the server will know your "master password", which seems like a security advantage. Of course, users that don't want to remember a password can simply rely on the yubikey OTP. It would be the user's choice. Thoughts?

Thanks,
Simon


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 09, 2010 10:55 pm 
Offline

Joined: Mon Aug 09, 2010 10:05 pm
Posts: 1
Is someone making this? is there a project in progress for this?


Top
 Profile  
Reply with quote  
PostPosted: Wed Mar 30, 2011 9:24 am 
Offline

Joined: Wed Mar 30, 2011 9:22 am
Posts: 1
It's Firefox 4 now...
Iwould really like to use Yubikey for the FF Master password. Is there any progress?


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 04, 2016 3:30 pm 
Offline
User avatar

Joined: Fri Aug 08, 2014 7:11 pm
Posts: 24
(And Firefox 40+ now...)

How strange that this was not seen as a huge publicity possibility by the Yubico marketeers long ago.
Yubico should maintain such an addon themselves, one for each main browser.

Every IT media in the world would write about it regularly for free.
Wonder how that would affect sales...

From my perspective, I would want an add-on that woul require the presence of a Yubikey configured with Challenge-Response mode in addition to the normal master password, with the possibility to register more than one Yubikey for the Challenge-Response check, so that if one is lost or unavailable, one can use another with no extra effort. (And because of the increased security, we would have yet another reason to buy extra, spare Yubikeys just to secure access to the password archive...)

_________________
Regards,
Nomadus


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 12, 2016 9:28 am 
Offline
User avatar

Joined: Fri Aug 08, 2014 7:11 pm
Posts: 24
I still think this would be incredibly useful - to protect our password archives.

_________________
Regards,
Nomadus


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group