I've been playing around with my Yubikey Neo and have gotten OTP, Chal-Resp, and U2F to work as local logins on my Ubuntu box (pam modules). I'm trying to determine if any one is better than the other, security wise, since all appear to be valid options.
I've basically nixed off the OTP because it involves sharing a secret. No offense to Yubico, but I'm trying to get out of the game of possible leaked secrets, no matter who stores them. It also gives you the issue of logging in while not connected to the internet. Bleh.
Challenge-Response is neat. Specifically in the SHA mode so that you're not burning your counters off. Authentication based off of symmetric encryption (basically).
U2F would be my preferred method of the 3 of them for logging in to websites since it does not involve trusting anyone with a shared secret. Also, most of the features of UTF are geared towards remote logins for web services.
Anyone have a compelling reason to use one or the other for a local login?
|