Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 4:26 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Tue Dec 16, 2014 6:02 pm 
Offline

Joined: Tue Dec 16, 2014 5:47 pm
Posts: 5
Hey there!

In your opinion, which is the best solution, Yubikey vs Google Authenticator?


I'm currently using Yubikey but I might start using google authenticator instead.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Dec 16, 2014 7:13 pm 
Offline

Joined: Wed Nov 19, 2014 12:11 am
Posts: 31
With Google Authenticator, all your secrets are held on your phone, protected only by the device's encryption (if you enable it) and Android's isolation of application storage from other applications (if not rooted). Anyone getting hold of your unlocked phone can access your credentials.

With the Yubikey, the secrets are held on a specialist security device and cannot be read out at all. If you have an Android device that works with your Yubikey Neo using NFC, it is really no more difficult to use the Yubikey system than Google Authenticator.


Top
 Profile  
Reply with quote  
PostPosted: Tue Dec 16, 2014 7:17 pm 
Offline

Joined: Tue Nov 18, 2014 9:14 pm
Posts: 95
Location: San Jose, CA
I'm also not sure if the keys in Google Authenticator will be transferred to a new phone when you upgrade. The credentials on the yubikey will be available on any phone which can run the yubico authenticator app.


Top
 Profile  
Reply with quote  
PostPosted: Tue Dec 16, 2014 7:59 pm 
Offline

Joined: Tue Dec 16, 2014 7:47 pm
Posts: 2
darco wrote:
I'm also not sure if the keys in Google Authenticator will be transferred to a new phone when you upgrade.


Worst case, the secret used by the Google Authenticator app can be manually transferred to a new phone if necessary.

Quote:
The credentials on the yubikey will be available on any phone which can run the yubico authenticator app.


Not quite true. My Galaxy Note 3 runs the Yubico Authenticator app but is unable to read either of my NEOs via NFC.


Top
 Profile  
Reply with quote  
PostPosted: Tue Dec 16, 2014 8:00 pm 
Offline

Joined: Tue Nov 18, 2014 9:14 pm
Posts: 95
Location: San Jose, CA
Ok, fair enough, I am assuming that the device is NFC compatible and works with the ykneo.


Top
 Profile  
Reply with quote  
PostPosted: Tue Dec 16, 2014 8:25 pm 
Offline

Joined: Tue Dec 16, 2014 5:47 pm
Posts: 5
DavidW wrote:
With Google Authenticator, all your secrets are held on your phone, protected only by the device's encryption (if you enable it) and Android's isolation of application storage from other applications (if not rooted). Anyone getting hold of your unlocked phone can access your credentials.

With the Yubikey, the secrets are held on a specialist security device and cannot be read out at all. If you have an Android device that works with your Yubikey Neo using NFC, it is really no more difficult to use the Yubikey system than Google Authenticator.


[My emphasis]

One doesn't need to read the contents of a yubikey. The fact that the OTPs are not time-based makes it easier to "hack" than google-authenticator. All you've to do is get someone's yubikey, mail yourself some OTPs and then use them. Of-course once an OTP is used, all the past OTPs will be useless but still.

I find Google-Authenticator in an encrypted password protected device much more secure than yubikey. I created this thread to be proved otherwise, as I might be starting to think that I made the wrong choice by going with Yubikey.

Thank you all for posting on this thread btw.


Top
 Profile  
Reply with quote  
PostPosted: Tue Dec 16, 2014 9:04 pm 
Offline

Joined: Tue Nov 18, 2014 9:14 pm
Posts: 95
Location: San Jose, CA
Yubico Authenticator supports both event-based (HOTP) and time-based (TOTP) credentials, as does Google Authenticator, so this isn't really a differentiator as long as you have a good password on your YubiOATH app.


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 17, 2014 1:28 am 
Offline

Joined: Wed Nov 19, 2014 12:11 am
Posts: 31
darco wrote:
Yubico Authenticator supports both event-based (HOTP) and time-based (TOTP) credentials, as does Google Authenticator, so this isn't really a differentiator as long as you have a good password on your YubiOATH app.


Adding to darco's answer, the majority of services online use TOTP, so you cannot generate OTPs in advance unless you have access to the secret and know the time you want the OTP for (typically a 30 second window, with the server making some allowance for entry time and clock skew).

I have credentials for Google, Microsoft, Dropbox, Facebook, Tumblr and github on my Yubikey Neo. All are TOTP credentials.


The only event-based credentials I have are those I use with the Yubikey's 'touch button' capabilities: Yubico OTP (which I don't use much) and Symantec VIP (which I use with PayPal). I also have event based hardware OTP setups from two UK banks - HSBC uses a self-contained PIN protected token and Nationwide use a small device that works with the Chip Authentication Program feature on their cards.


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 17, 2014 1:42 am 
Offline

Joined: Wed Nov 19, 2014 12:11 am
Posts: 31
dvarapala wrote:
My Galaxy Note 3 runs the Yubico Authenticator app but is unable to read either of my NEOs via NFC.


My Galaxy Note 3 works fine with my Neo, though I'm running a different country version to you and therefore different firmware (mine is BTU - United Kingdom unbranded). I will undoubtedly have different apps loaded to you. It's possible you have an app that is interfering with Yubico Authenticator and/or Yubiclip's use of NFC.


I'm therefore able to generate OTPs using the Authenticator app on my phone over NFC, or by using the Authenticator app on my laptop with the Neo in a USB slot.


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 17, 2014 1:16 pm 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
My take on this question is the following:

Google Authenticator is a piece of software that uses well know algorithms to generate on screen displayed codes (smartphones, tablets, pc).
In this scenario you have to trust your phone's hard-drive (tablet, pc, etc..) to store the secrets. These devices are often Internet connected.

The Yubikey stores the secrets into the secure element. It is not an Internet connected device. The same well known algorithms are later on used to spit out the codes exactly as the Google Authenticator does onto the smartphone, tablets etc. However the secrets never leave the Yubike's secure element

The Yubikey applet can be password protected.
The Google Authenticator doesn't (on iOS, however it could be easily added ), it just prevents the average Joe to pick up the phone, start the App and steal couple of codes.

The real question here is 'do you trust storing secrets on the "designed storage" for your device app or you rather store them onto an offline device's secure element?'

What do you think? I am happy to see great conversations about security coming up on this community!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group