Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 7:18 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: Ideas took from Swekey
PostPosted: Wed Dec 15, 2010 6:01 pm 
After reading the post "http://forum.yubico.com/viewtopic.php?f=4&t=601&p=2459" I decided to purchase a swekey to evaluate it.

It was quite a good surprise, and I found a lot of good ideas in the product. I hope Yubico will be able to implement those features...


Shipping:

Shipping is fast and free.
I paid 5 Euros for Yubikey shipping while they used a £ 0.6 stamp to send it :-(


Cost:

The swekey is shipped at $20 including shipping, the Yubikey costed me $30


Hardware:

The Yubikey's hardware looks far better than the Swekey's.
I really love the thin design of the Yubikey, the Swekey still use the classical USB port.


Installation:

No Installation required for the Ybikey.
Swekey's installation is automated under windows but you need to download an installer for mac and linux.


Usage:

No need to push a button to logon, the key is recognized and the OTP is generated transparently (++)
When you unplugged your swekey you are automatically logged out (++)


Lost Key:

Losing a Yubikey is a real pain.
You can purchase a backup swekey to replace immediately a lost swekey.
Once replaced the origial swekey becone unusable (I didn't try the feature to avoid destroying my original swekey)


I'm at home and I forgot my Key at the office:

No support for Yubikey
You can disable a swekey. Then it wont be required by most sites (unless the site has a very high security level).
Once plugged the swekey is automatically reactivated


Security:

You can generate a lot of Yubikey OTPs in a text file then use them later doing copy/paste.
This can be considered unsafe since you can login without the Yubikey plugged in your computer.
Swekey works in challenge/response mode, so a generated OTP can never be reused.


Security:

You can generate a lot of Yubikey OTPs in a text file then use them later doing copy/paste.
This can be considered unsafe since you can login without the Yubikey plugged in your computer.
Swekey works in challenge/response mode, so a generated OTP can never be reused.
The Yubikey does not protect you against 'man in the middle/phishing' attacks, the swekey does because its OTP is calculated using the hostname of the remote site.
Of course this protection is usefull only using https sites.


Misc features:

As a corporate we planned to use the Yubico to protect our intranet. The swekey can let you choose to open your intranet webpage as soon as you plug it (The feature did not work for Linux)


Top
  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Dec 21, 2010 12:02 am 
Offline
User avatar

Joined: Fri Mar 05, 2010 5:30 am
Posts: 3
Location: British Columbia, Canada
The price difference is negligible.

I agree that the flat moulded plastic/resin sheet idea, while nifty, has downsides. For example, I can not insert my Yubikey into my laptop's USB ports without two adjacent free slots. I like the Goldkey form-factor, with the entire device the dimensions of an elongated USB plug.

As for losing your Yubikey, it is fully possible to purchase two and use one as a backup. (You can disable a Yubikey by removing its credentials from your account; now the Yubikey is non-functional without being re-configured.)

Using OTPs in a text file is great, unless you want to both use the physical device and the pre-generated keys, which you can't do due to replay prevention. Once a Yubikey OTP is used, it can not be used again, either. (And invalidates all prior OTPs generated with that key, thus the plain text file full of OTPs isn't actually that useful).

Nothing protects you from man-in-the-middle attacks except understanding SSL/TLS and checking the certificates of the sites you visit. Using the "host name" of the remote site is pointless and easily faked in a similar way to how I can send e-mail as Bill Gates if I wanted to. (Infosec is one of my many hats; becoming a passive MITM sniffing all data on an entire network required three simple commands in a BASH prompt.)

Note there is a lot of software available (under many operating systems) for free that is able to detect USB device connection/disconnection and perform actions based on those actions. HAL under Linux can do it, as an example; you just need to understand and configure the right things. Opening an intranet page when a USB device is inserted is flashy, but silly. An intranet should open when the browser is started, period. Locking my workstation when I remove my Yubikey seems a far more practical use of device detection.

_________________
— Alice Bevan-McGregor, Systems Administrator, Top Floor Computer Systems Ltd.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group