Yubico Forum

I bought a Yubikey NEO 3.3 a few weeks ago and I am very satisfied.

As I mentioned in another post, I'm currently using my Yubikey NEO for:

• Yubico U2F: U2F at sites which support it (just google at the moment, sadly).
• YubiOATH: Holding my TOTP/HOTP credentials for various websites, including google, wordpress, github, dropbox and Facebook.
• OpenPGP: Holding my OpenPGP subkeys, which I use for signing emails, opening encrypted files, and SSH authentication.
• YubiKey PIV: Holding my personal client-ssl and S/MIME certificate from StartSSL.com, as well as a self-signed PIV Auth certificate I use sometimes for SSH authentication.
• YubiKey OTP: I use this for storing an HOTP credential that I use for banking.

I have some feedback and feature requests that would make future versions of this product even more useful:

1. Allow the OATH app to use any HOTP credentials that are configured in the standard OTP slots. This would be useful when using the yubikey over NFC. I'd rather use the same interface for all OTPs rather than have to remember that the OTP credential I need has to be read as an NDEF URL, when I'd rather just go to the yubico authenticator app. Note that I can't just add the credential to both apps because then the counter would get out of sync.
2. Bitcoin wallet. Incredibly useful. I understand that this was an original goal, but that hardware capabilities prevented it from coming to fruition. If the hardware ever changes to allow support for this, jump on it.
3. Support for ECC keys in the OpenPGP app.
4. The PIV app is limited to just four certificates, and those certificate slots have additional behaviors associated with them which may not be appropriate. I would love to have the ability to store a somewhat arbitrary number of private keys (and associated certificates), as I have several S/MIME certificates. There is obviously going to be an upper limit on the number of certificates that can be supported, but I'm guessing that you could fit considerably more than four certificates and their associated private keys. Just give me a pkcs11 interface and I'll be happy.
5. I would love to have the optional ability to require physically touching the button for signing and decryption operations in both the PIV app and the OpenPGP app. (When used with NFC, a simple timeout, requiring a re-tap, would be adequate) This would ensure that even if my computer and PIN code were compromised that the attacker couldn't arbitrarily perform signing or decryption operations while my NEO was connected.

Additionally, I think that the mechanism for development is kind of unfortunate at the moment. I propose the following mechanism, inspired by the OLPC process:

All yubikey NEO tokens would come from yubico as "development-locked". They are not in development mode and cannot be loaded with apps or updated via software, HOWEVER... Users may contact yubico to request a unique "developer unlock key" that, when presented to that specific yubikey, fully wipes the data storage for all of the apps and irrevocably sets an additional bit indicating that the device is now in a non-factory configuration mode. In this state the user may then load new javacard apps onto the token and do general token development.

The specific case outlined in this blog post is avoided because:

• Someone would have to contact yubico to get the developer unlock key. You could even require that the user supply a valid original Yubico OTP from the token in question, to verify physical possession of the token.
• The developer unlock key would only be accepted if the device was unprotected.
• All application data (including the U2F internal secret, which would need to be regenerated) would be wiped, making it pretty obvious that the device has been tampered with.

I know the whole developer-mode idea is a bit of a stretch, but I figured it was worth throwing out there.

Thank you for the feedback, I have shared it with the rest of the dev team! Some of the things that you mention are already on our want-to-do list, but cannot be done right now (for example because of, like you mention, missing hardware support).

Henrik
SW developer

A few more suggestions:

• Instead of using a password-like access control to the YubicoOATH app, use PIN/PUK style system that automatically locks itself after too many attempts to unlock with the wrong code. Bonus points for not accidentally using attempts if I try using my yubikey on someone else's phone and need to enter my pin (when they have their own yubikey that uses a different pin). Multiple attempts with the same invalid pin should not count as additional attempts.
• Consider using a zero-knowledge PAKE protocol (like J-PAKE) for establishing an encrypted session between the yubico authenticator app and the app on the sim card, if one isn't being used already. This will prevent data from leaking during NFC activation, including the password. A lot of people will end up just using their PIN codes for the password, so 1000 rounds of pbkdf2 is going to be trivial to reverse. Not sure if this can happen fast enough for an NFC tap, but it would dramatically reduce the likelihood of a compromised password if someone is eavesdropping.
• Instead of having a separate PIN/PUK for each app, have a unified PIN/PUK for the entire yubikey neo that applies to all apps. Entering the wrong pin on any app too many times would lock the entire yubikey until the PUK was presented. This also simplifies administration, since you only need to change your PIN once per yubikey instead of once for each app. I understand that this might not be easy to do, but figured it was worth mentioning.
• The Yubico Authenticator app should offer to store my password/PIN in my keychain.

Also, while not really a feature suggestion, I'm noticing that the yubico authenticator crashes a lot on my Mac. Here is a short backtrace:



Any ideas? It doesn't happen all the time, but when it does happen it seems to happen quite often and repeatedly.

Unfortunately I can't write private messages for some reason, so I'm asking right here. Can you please describe how you managed to put a StartSSL certificate to neo and how to use it afterwards?

Ok, I managed to put the cert into my neo.
But how can I use it for authenticating on startssl.com in google chrome?

Ask your question on the yubikey neo forum. If you've already asked there, send me a link to your post and I can answer there.

Thanks for anwsering. I've just created a new topic: viewtopic.php?f=26&t=1753, pls anwser there.