Yubico Forum

Hi all.
First, I have to say this is one of the best products I have ever used.

Second, my question. I don't know how really to ask it, so I will rather be explaining it by example.

Let's say I got 2 or 3 YubiKeys and I use the kg for passwords.
Is it possible for them to use the same kg account?
Example, I add passwords to the kg account, and it can be used with the other 1 or 2 yubikeys?

Thanks.

Generally speaking, it is up to the service that you are using yuor Yubikey with to handle dealing with lost keys, some may do it and others may not.

For KeyGenius, you currently can't have more than one key per account. You can however change which Yubikey you use to access it. This can be done even if you lose your Yubikey, as long as you are using the new two factor authentication for KeyGenius (Accounts). KeyGenius uses the other form of authentication (password) combined with an email confirmation to accomodate this.

I need it for keygenius.
And don't mean to change keys
Maybe this can be done in future, I personally need this option and find it useful (don't know if others agree) since for websites where you will need to keep your colleagues with the latest password to access some service (and you change it pretty much often).

I was going to ask about the multiple yubikey question and thought I'd check here first.

Couldn't I use the export to csv function and then import the information to a new account with a different Yubikey. This would not be as convienient as multiple keys since every time you add a new site you'd have to add it to the other account or accounts, but appears to be a workaround.

Would this work and what are the security risks?

Thank
j30sailor

Multiple Yubikeys per account does seem like a good feature for KeyGenius, so I'll see about adding it in the future.

You could definitely export passwords to CSV and import them under another KeyGenius Account, and share them that way. The problem, as you correctly identified, is that you would have to keep all the accounts in sync when adding or changing passwords. As far as I can tell there are no added security risks, other than the obvious one: The security now depends on several people instead of just one.

Good point, would love to see multiple support.

My issue is to make sure I have the Yubikey with me. One on my keychain, one in my home machine which is physically secure.

Also see it as a great way to prevent changing passwords. Disable one Yubikey and keep using the other if you lose one.

j30sailor

Just got a used yubikey from ebay for $5! Curious to try it out because of all the marketing buzz generated around it. Check if it can replace SecurID in my intranet deployment and do more.

But after trying it for a week, I am disappointed. Almost all the services/apps claiming supporting yubikey are either half-cooked hacks or not working at all.

For example, John Salter's video showing PasswordSafe is a smoke screen. It only supports Yubikey logon from a locked state, but not using Yubikey to log in.

TrueCrypt case is also a marketing fluff since it uses static password and no integration with Yubikey at all. The yubikey integration PbWiki is a total mess, I still can't get it to work.

KeyGenius, lastpass and even this forum's support for Yubikey are like weekend hacks, can't even use an extra key for backup or handle lost keys. Rohos is unstable on my Windows Server 2008 so I uninstalled it.

Only Mashedlife is more serious in supporting yubikey, but not as professional as the SecurID solution I'm using now.

Besides Mashed life I wonder if there is anything that is real, not marketing fluff, and better documented I can follow the best practice in integrating yubikey?

Thanks

Thanks everyone for the support and I hope this gets implemented in the close future.

I have worked with both SecureID and the Yubikey. SecureID is MUCH more complex to set up, requires special server software which is not Open Source and must be payed for (deerly). Also, the tokens require a battery and run out after a few years. Instead of being able to replace the battery, you'll need to by a new token. So, it is in an entirely other league than the Yubikey.

Is it more safe than the Yubikey? The weaknesses I could find in the Yubikey were:

• the encoded string contains a checksum. Hence, given that somebody tries a brute force attack, he has a method to detect if he had success decoding the string (the CRC matches). Given the time needed to crack a message encrypted with an 128 bit AES key I don't see it as a BIG weakness, but it is a weakness nevertheless.
• The Yubikey's OTP is not connected with real time in any way. This allows for a special type of man-in-the middle attack, which was described on this forum. It works by capturing the key before it is sent to the authentication server, generate some time out failure, have the user generate the next key and then use the first key to perform some transaction.
• If you use ONLY the Yubikey, loosing your key is loosing your identity. If someone finds your key and - given he knows where you used it - enters your websites with it, you're lost. The same applies to the SecureID token. However, as with the SecureID token, a second factor can be used to prevent this (e.g. passphrase, pin etc.)

However, implementing Yubikey authorisation is VERY simple, does not cost much and works on almost all platforms. I can't really understand your point of view w/regard to the Yubikey at all, nor can I suggest other / better solutions, given that you have already tried SecureID and Yubikeys. Sorry, mate.