Yubico Forum

OK, I am brand-new to Yubikey...

I thought it used the user's scanned fingerprint as part of the hash to create the OTP and so on...

However, I am seeing that is apparently not correct.

So it seems that if someone has my Yubikey, they can effectively own me. Truecrypt (the reason I bought the key in the first place) is actually LESS secure with yubikey use, then.

Am I wrong? What am I not understanding? I want to use Yubikey in Windows and Linux environs as a boot-level authentication device to unlock my truecrypt-encrypted hard drive.

It is not a security issue because nowhere does it say that it scans your fingerprint. It is meant to be used together with a username and a password i.e. something you know and something you have. You better read up on security engineering...
//A

I know security engineering, thank you very much... not all of it, but none of us know everything.

Here's the thing- with Truecrypt, to use the Yubikey as the pass to an encrypted volume, it can store and submit a 64-digit static password.

That static password is, hello, static.

There is nothing else required to decrypt the system partition in the case of an encrypted system partition- no username, other password, nothing.

therefore, anyone that can lay hands on that yubikey and insert it in the USB slot on that machine can decrypt the volume.

To add a cheap second factor in cases like truecrypt that need a static password, there is a very easy way.

Type in a PIN code first before tapping the yubikey. Now each part (PIN, yubikey) is useless without the other, because the real truecrypt password is a combination of them.

Excellent idea, why didn't I think of this- we do it at work with our Verisign keys.

Yep, huge brainfart there. Thanks!

Yep, simple solution. I did this with my OpenID server, the patch for it has been sent to the Community-ID bug tracker.

Basically when you register for Community-ID, you initially do it using password authentication. Then, when you've activated the account you have the option of enabling YubiKey authentication (single-factor). I extended this to provide two-factor... the prefix of the key for each user is in the database, it takes the length of this, adds 32 to it, and feeds that into substr a couple of times to split user password from OTP.

I'll probably look into doing this with YubiPAM if I can't get challenge-response auth going, as this will allow two-factor authentication with slightly-broken PAM clients such as KDM.