Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 7:32 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Wed Apr 15, 2009 3:38 am 
Offline
User avatar

Joined: Tue Jan 13, 2009 6:33 am
Posts: 20
Winchester Password System Standard should be mandatory for Yubikeys. (WPS Standard)

I'm thinking all software that allows a usage of Yubico Yubikey OTP, should give us (the user) the option of storing a second Yubikey OTP. This would be for when the current Yubikey goes bellyup, gets lost/destroyed/eaten/etc...
It could allow people to leave a Yubikey at home and another Yubikey with the laptop or at work, where-ever...

True physical access becomes a Medium-Low security situation, while leaving online security intact.
But physical access will regardless-always be a problem for the paranoids-geekoids.


(Ok, maybe only the old-tymers who recall Winchester hard drives may understand the reference.)


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon May 04, 2009 12:36 am 
Offline
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
I very well remember my first ST-506 Winchester drive, I guess it was some 5MB or so. A big and expensive bastard :) It eventually was replaced with a ST-412, I guess it had the double capacity. An unimaginable volume back on a mighty CP/M machine.

(*sigh*, snip)

I've been trying to understand a bit more what the Winchester password system is about, but with limited sucess. Can you please provide some additional information or an appropriate link that describes what we can add.

Regards,

JakobE
Hardware- and firmware guy @ Yubico


Top
 Profile  
Reply with quote  
PostPosted: Mon May 04, 2009 4:12 am 
Offline
User avatar

Joined: Tue Jan 13, 2009 6:33 am
Posts: 20
Applications like WordPress, Truecrypt, SquirrelMail, and Google Apps could keep the information on 2 Yubikeys.

ie) In the picture of WordPress you are asked for a Username, Password, and Yubikey OTP.
Image
A spot for an optional Alternative Yubikey OTP could easily be added in.


By giving the option several things happen (well, at least for people with 2 or more Yubikeys).
-It wouldn't be a big concern if a Yubikey is left at work, that's if you also kept one at home. Because you'd still have access.
-Losing a Yubikey wouldn't mean a big hassle. You could log in to the few applications that you use and remove the lost Yubikey and later put a new Yubikey OTP in when the new one arrives.
-This could also allow the use of both a Personalized Yubikey (with a self-assigned OTP) and also a standard (Yubico issued) Yubikey OTP.
-Gives the option of putting a Yubikey away with will, or in a safety deposit box etc...
-Allow the sharing of services/programs in a secure manner. A kind of joint account between husband and wife.
-People (who think ahead) may purchase 2 Yubikeys instead of just one, or may be more inclined to purchase a second one later on.


True enough not everyone would put a second Yubikey OTP in, some people are ultra-paranoid etc...
But not everyone see's the world as a Red Alert 24/7, some people see security in terms of: normal, low, medium, high.
Since it is just an option, it should not pose a problem for the average person and using the average application.
It could give more a sense of security for the average user who may leave the Yubikey at work, or is concerned about losing the Yubikey.


Top
 Profile  
Reply with quote  
PostPosted: Mon Oct 05, 2009 10:57 am 
Offline

Joined: Mon Oct 05, 2009 10:43 am
Posts: 4
JH2007 wrote:
Applications like WordPress, Truecrypt, SquirrelMail, and Google Apps could keep the information on 2 Yubikeys.

ie) In the picture of WordPress you are asked for a Username, Password, and Yubikey OTP.
Image
A spot for an optional Alternative Yubikey OTP could easily be added in.



Yes, very good idea! Please someone implement this :)


Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 08, 2009 8:41 pm 
Offline

Joined: Fri Jun 19, 2009 6:06 pm
Posts: 31
Charybdis wrote:
JH2007 wrote:
Applications like WordPress, Truecrypt, SquirrelMail, and Google Apps could keep the information on 2 Yubikeys.


The decision to accept 1, 2 or more keys to grant acces to the SAME account lies entirely with the provider of the website. All he needs to do is maintain multiple records in his database, in which the connection between account and key is made. E.g. he may have the following records in his database:

keyid=ccccccccfkng name=fortean md5sum=c8f1ee9a7c5fd4b3c66d7559e99807d0
keyid=vvtinkerbellvv name=fortean md5sum=c8f1ee9a7c5fd4b3c66d7559e99807d0

.. note that the keyids differ, but the other fields are the same, which in effect requires fortean to type in the same passphrase, but allows him to either present vvtinkerbellvv or ccccccccfkng. You could also require two different passphrases etc.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group