Yubico Forum

I got my yubikey as a Christmas present and think is an amazing piece of technology.

I noticed there was an earlier discussion on using the yubikey with facebook, and the conclusion seemed to be that yuibikey does not support openid 2.0. Is there any way to get openid 2.0 support with the key? I have tried an openid account both here and at clavid. Is there some other error that I am making? Has someone gotten yubikey to allow a login to facebook? I have been able to link accounts, but I cannot get any further.

Thanks,

Alphageek

I used Yubikey + MashedLife or Lastpass to log in to any site.

That's convenient and secure.

I want to believe such sites are secure, but how does one know? I am a little concerned about storing all of my passwords on a remote site. Now, that site has all my accounts and passwords. What if someone there goes bad? Is my information somehow encrypted so that only my yubikey can decode the site? How has this site and its security been verified?

Sorry, I am just paranoid.

I found this thread via the search feature.

Currently I'm using LastPass and a machine generated password to secure my Facebook login, and I just set up Clavid so that I can actually sign into my FB account away from home now.

However, if it is at all possible to convince the people behind Facebook to directly support YubiKey then I would be one happy fella. I've only had my keys for two or three days and I already love it.

I'm flabbergasted that sites like Facebook still rely on the nonsense that's username and passwords. This isn't Yubico's fault, I know, I'm just a bit frustrated at the other folks.

Why would a hardware crypto token need to support an online authentication standard like OpenID 2.0? It's like expecting your computer monitor to support HTML5. The YubiKey is just an input peripheral that generates OTPs according to a set of rules which may be checked by a remote system. How the remote system uses the information obtained is entirely outside the realm of the YubiKey itself.

There are a couple of OpenID providers that support the YubiKey such as Clavid (mentioned earlier), or you can set up your own (as I have done here) that will let you use the YubiKey on any OpenID enabled site.

I'm not sure of the specifics regarding FaceBook. Never got involved with that site, and I'm happy to not be anywhere near it.

<em>I want to believe such sites are secure, but how does one know? I am a little concerned about storing all of my passwords on a remote site. Now, that site has all my accounts and passwords. What if someone there goes bad? Is my information somehow encrypted so that only my yubikey can decode the site? How has this site and its security been verified?

Sorry, I am just paranoid.</em>

All of your questions are answered already. LastPass encrypts and decrypts your passwords locally, not on their server. They store your encrypted password data on their servers to enable you to share password data across many browsers and mobile devices. That's not a security risk because they only have your encrypted data.

When you add a YubiKey to the LastPass account it means that even if someone guesses your LastPass master password they cannot log in without your YubiKey present. You can optionally set up a list of trusted computers that LastPass will not require YubiKey more than once for. If you add a mobile device to your account you can lock it by MEID so that only your trusted mobile phones can even log in to your account.

There is criticism of LastPass for not being open-source like Keepass or other options. To me personally, I'm willing to go with LastPass even given this criticism because of the support for YubiKey and the easy syncing between multiple browsers. This product has finally made it possible for me to have strong, unique passwords for all of my sites, and also to share them easily with my wife on all of our computers and phones. For the minimal cost, it really does work great.