Yubico Forum :: View topic - Feature Request: Remote Yubikey Recognition

Yubico Forum https://forum.yubico.com/

Feature Request: Remote Yubikey Recognition https://forum.yubico.com/viewtopic.php?f=23&t=810	Page 1 of 1

Author:	davbran [ Tue May 15, 2012 12:20 pm ]
Post subject:	Feature Request: Remote Yubikey Recognition
I live and breath by my Yubikey, and now I can add the same level of security to my desktop as I do with my Lastpass. There is a slight hiccough though, with the state of the Yubikey Windows Login Administration, there is no remote support from the remote PC. I would like to use RDP to connect to my remote computer, but my remote computer doesn't recognize the local yubikey.

Author:	Onedutch [ Fri Jun 22, 2012 9:22 am ]
Post subject:	Re: Feature Request: Remote Yubikey Recognition
I was just making my way to use th Yubico way of logging into a workstation. We use RDP (MSTSC) alot for remote work. So the Yubikey isn't used with the USB Keyboard device way. Currently we use http://www.rohos.com/support/knowledge-base/windows-logon-with-yubikey/ which does work with Yubikey. It's paid software Should it be able to use Yubikey with challenge response in the future ? When starting RDP you the 'default' for smartcards is allway's enabled? Perhaps the Yubikey should present itself as a USB SmartCard, so the RDP client can pass trough the Challenge Response over this SmartCard way of doing things. Regards Onedutch

Author:	ferrix [ Mon Oct 29, 2012 7:48 pm ]
Post subject:	Re: Feature Request: Remote Yubikey Recognition
Challenge-response mode over RDP can never work, at least not without very major changes to yubikey or by using different client-side RDP software. Smart cards work extremely differently than yubikey OTP or C/R mode, in terms of cryptography and also interface. There's no way to make a yubikey "look like" a smart card. Even if one day some yubico product might support public key crypto, it would essentially have to be a smart card, in every true sense, in order to authenticate this way using default RDP software. The alternative if you need remote logon working is simply to use OTP mode instead of C/R mode. All the other logon solutions for yubikey support this mode. Yubico's stance (correct) is that this leads to less endpoint security since the shared secret must be stored on the workstation. But if you encrypt your drive this is somewhat mitigated. Also in terms of security, the yubico windows logon software has a very long way to go in terms of security best practices. Right now the software is making a lot of rookie security mistakes. But I'm sure over time it will improve, as free solutions do, slowly.

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/