Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 5:43 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Wed Mar 11, 2009 2:31 pm 
Offline
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
Another "silent" feature of the Yubikey is the ability to "double-click" CapsLock, ScrollLock and NumLock keys to trigger the release of an OTP. It was introduced in an early stage where we thought that we could have a Yubikey without a button - known as "Yubikey Basic".

The function relies on monitoring the status LED output reports. If two reports are recieved within 0.8 seconds where the LED status flips, the OTP is triggered.

A caveat is of course that this in theory allows a Trojan to trigger the release of an OTP. If this is a real risk it is up to everyone to judge.


The default setting for this feature is OFF, so I believe most people haven't tried it.

What do you think - shall we keep this function as is or shall we drop it.

Regards,

JakobE
Hardware- and firmware guy @ Yubico


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Mar 11, 2009 6:53 pm 
Offline

Joined: Sat Sep 20, 2008 10:17 am
Posts: 20
JakobE wrote:
A caveat is of course that this in theory allows a Trojan to trigger the release of an OTP. If this is a real risk it is up to everyone to judge.


I think this should be off by default -- I don't want trojan to be able to use my Yubikey.
Still it's nice feature: It could be used as a dongle for providing license for application. In that case vendor of the product would reprogram Yubikey to have that option enabled and send key to customer. Application can then be downloaded from internet and when running it would automatically test that "license dongle" is attached.


Top
 Profile  
Reply with quote  
PostPosted: Wed Mar 11, 2009 7:26 pm 
Offline

Joined: Wed Jun 18, 2008 6:51 pm
Posts: 19
I second that, its not something I would use so would hope for it to be off by default. But I am sure someone would be willing to trade a little security for convenience.


Top
 Profile  
Reply with quote  
PostPosted: Wed Mar 11, 2009 11:50 pm 
Offline

Joined: Sat Jan 10, 2009 10:29 pm
Posts: 5
I too would vote for keeping this option but leaving it OFF by default. I would very likely--on occasion--trade convenience for the increase in risk.


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 13, 2009 1:30 am 
Offline

Joined: Sun Jan 11, 2009 4:40 am
Posts: 41
I, too, would favor leaving the feature and having it off by default with the assumption that this would require the programming password to turn it on. Which, BTW, would suggest that the ability to turn it on and off should be added to the personalization tool.

Dick


Top
 Profile  
Reply with quote  
PostPosted: Wed Mar 25, 2009 4:50 am 
Offline
User avatar

Joined: Tue Jan 13, 2009 6:33 am
Posts: 20
Dick wrote:
I, too, would favor leaving the feature and having it off by default with the assumption that this would require the programming password to turn it on. Which, BTW, would suggest that the ability to turn it on and off should be added to the personalization tool.


I agree.
Keep it, have it turned off, and put a on/off-toggle for it in the personalization software.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group