Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:13 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Wed Dec 31, 2014 11:54 am 
Offline

Joined: Tue Dec 16, 2014 5:47 pm
Posts: 5
Hello, I have a question. Could the use of yubikey be used to attack one's privacy? That is:

Let's say I use a yubikey to authenticate to 3 sites (using the default OTP feature). Does yubico know I use a yubikey to authenticate to those 3 sites?

Is there any other way in which you think the use of a yubikey could be used to undermine one's privacy?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Dec 31, 2014 1:11 pm 
Offline

Joined: Wed Nov 19, 2014 12:11 am
Posts: 31
If you use a Yubicloud credential - either the one loaded into a new Yubikey at the factory or one you generate yourself using the personalisation tool - it is theoretically possible for Yubico to gather a list of which servers are submitting requests relating to that credential to the Yubicloud.

If Yubico keep records of the serial numbers of Yubikeys they supply, this might give them a hint as to who is using a factory provisioned Yubicloud credential, which contains the key's serial number. Other than that, Yubico does not have any way of tying that credential to an individual or a role unless the credential has been used on a Yubico service.


I've used my Yubikey Neo here on the forums, on the Yubico store, on the Yubico demonstration service and at LastPass. Yubico could tie that credential to me from my registration with these forums or their store, so they could work out I'm also a LastPass user.

I've got other Yubikeys that have not been used on a Yubico service, so all Yubico could do is work out which services that credential has been used with.


Yubico have no way of knowing whether or when a credential has been passed to someone else. For example, I could unregister a Yubikey from my LastPass account and give that Yubikey to a friend who used it for her LastPass account. Yubico would have no way of knowing I'd given that Yubikey away.



If you do not use Yubicloud, Yubico have no way of tracing the use of a Yubikey. I have an OATH-HOTP credential in slot 2 of my Neo that is nothing whatsoever to do with Yubico. Yubico has no way of knowing whether I hold that credential on a Yubikey or on a mobile phone app like Google Authenticator.


In simple terms, it isn't the use of the Yubikey hardware that might allow any sort of tracing, but the use of the credential(s) you use with the hardware.


Top
 Profile  
Reply with quote  
PostPosted: Sun Jan 25, 2015 12:57 pm 
Offline

Joined: Tue Dec 16, 2014 5:47 pm
Posts: 5
DavidW wrote:
If you use a Yubicloud credential - either the one loaded into a new Yubikey at the factory or one you generate yourself using the personalisation tool - it is theoretically possible for Yubico to gather a list of which servers are submitting requests relating to that credential to the Yubicloud.

If Yubico keep records of the serial numbers of Yubikeys they supply, this might give them a hint as to who is using a factory provisioned Yubicloud credential, which contains the key's serial number. Other than that, Yubico does not have any way of tying that credential to an individual or a role unless the credential has been used on a Yubico service.


I've used my Yubikey Neo here on the forums, on the Yubico store, on the Yubico demonstration service and at LastPass. Yubico could tie that credential to me from my registration with these forums or their store, so they could work out I'm also a LastPass user.

I've got other Yubikeys that have not been used on a Yubico service, so all Yubico could do is work out which services that credential has been used with.


Yubico have no way of knowing whether or when a credential has been passed to someone else. For example, I could unregister a Yubikey from my LastPass account and give that Yubikey to a friend who used it for her LastPass account. Yubico would have no way of knowing I'd given that Yubikey away.



If you do not use Yubicloud, Yubico have no way of tracing the use of a Yubikey. I have an OATH-HOTP credential in slot 2 of my Neo that is nothing whatsoever to do with Yubico. Yubico has no way of knowing whether I hold that credential on a Yubikey or on a mobile phone app like Google Authenticator.


In simple terms, it isn't the use of the Yubikey hardware that might allow any sort of tracing, but the use of the credential(s) you use with the hardware.


Sorry to get back at you so late.

This answer doesn't really inspire me with great confidence in Yubico/yubikeys. As I understand, using a Yubikey (with the standard OTP) is basically a diary of which sites a specific user frequents.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Baidu [Spider] and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group