Yubico Forum

After reading the post "http://forum.yubico.com/viewtopic.php?f=4&t=601&p=2459" I decided to purchase a swekey to evaluate it.

It was quite a good surprise, and I found a lot of good ideas in the product. I hope Yubico will be able to implement those features...


Shipping:

Shipping is fast and free.
I paid 5 Euros for Yubikey shipping while they used a £ 0.6 stamp to send it


Cost:

The swekey is shipped at $20 including shipping, the Yubikey costed me $30


Hardware:

The Yubikey's hardware looks far better than the Swekey's.
I really love the thin design of the Yubikey, the Swekey still use the classical USB port.


Installation:

No Installation required for the Ybikey.
Swekey's installation is automated under windows but you need to download an installer for mac and linux.


Usage:

No need to push a button to logon, the key is recognized and the OTP is generated transparently (++)
When you unplugged your swekey you are automatically logged out (++)


Lost Key:

Losing a Yubikey is a real pain.
You can purchase a backup swekey to replace immediately a lost swekey.
Once replaced the origial swekey becone unusable (I didn't try the feature to avoid destroying my original swekey)


I'm at home and I forgot my Key at the office:

No support for Yubikey
You can disable a swekey. Then it wont be required by most sites (unless the site has a very high security level).
Once plugged the swekey is automatically reactivated


Security:

You can generate a lot of Yubikey OTPs in a text file then use them later doing copy/paste.
This can be considered unsafe since you can login without the Yubikey plugged in your computer.
Swekey works in challenge/response mode, so a generated OTP can never be reused.


Security:

You can generate a lot of Yubikey OTPs in a text file then use them later doing copy/paste.
This can be considered unsafe since you can login without the Yubikey plugged in your computer.
Swekey works in challenge/response mode, so a generated OTP can never be reused.
The Yubikey does not protect you against 'man in the middle/phishing' attacks, the swekey does because its OTP is calculated using the hostname of the remote site.
Of course this protection is usefull only using https sites.


Misc features:

As a corporate we planned to use the Yubico to protect our intranet. The swekey can let you choose to open your intranet webpage as soon as you plug it (The feature did not work for Linux)

The price difference is negligible.

I agree that the flat moulded plastic/resin sheet idea, while nifty, has downsides. For example, I can not insert my Yubikey into my laptop's USB ports without two adjacent free slots. I like the Goldkey form-factor, with the entire device the dimensions of an elongated USB plug.

As for losing your Yubikey, it is fully possible to purchase two and use one as a backup. (You can disable a Yubikey by removing its credentials from your account; now the Yubikey is non-functional without being re-configured.)

Using OTPs in a text file is great, unless you want to both use the physical device and the pre-generated keys, which you can't do due to replay prevention. Once a Yubikey OTP is used, it can not be used again, either. (And invalidates all prior OTPs generated with that key, thus the plain text file full of OTPs isn't actually that useful).

Nothing protects you from man-in-the-middle attacks except understanding SSL/TLS and checking the certificates of the sites you visit. Using the "host name" of the remote site is pointless and easily faked in a similar way to how I can send e-mail as Bill Gates if I wanted to. (Infosec is one of my many hats; becoming a passive MITM sniffing all data on an entire network required three simple commands in a BASH prompt.)

Note there is a lot of software available (under many operating systems) for free that is able to detect USB device connection/disconnection and perform actions based on those actions. HAL under Linux can do it, as an example; you just need to understand and configure the right things. Opening an intranet page when a USB device is inserted is flashy, but silly. An intranet should open when the browser is started, period. Locking my workstation when I remove my Yubikey seems a far more practical use of device detection.

_________________
— Alice Bevan-McGregor, Systems Administrator, Top Floor Computer Systems Ltd.