Yubico Forum https://forum.yubico.com/ |
|
Time delta server project https://forum.yubico.com/viewtopic.php?f=3&t=419 |
Page 1 of 1 |
Author: | olov [ Mon Oct 12, 2009 11:48 am ] |
Post subject: | Time delta server project |
A reference implementation for using YubiKey time stamps to improve security is started. The project is hosted at http://code.google.com/p/yubikey-timedelta-server-php/ A demo server of the project is available at http://timedelta.yubico.com Feedback on the demo server is most welcome. Especially on how the interface is perceived from a user convenience and security perspective. - Olov Danielson Yubico |
Author: | fortean [ Mon Oct 12, 2009 6:09 pm ] |
Post subject: | Re: Time delta server project |
olov wrote: A reference implementation for using YubiKey time stamps to improve security is started. Feedback on the demo server is most welcome. Especially on how the interface is perceived from a user convenience and security perspective. Hey, Olov, nice work! The interface currently does not work with Yubidrone (my G-phone's Yubikey emulation), as I have to switch between 2 apps (Yubidrone and the browser) which currently takes too much time. However, I will (of course) do my very best to circumvent this in some later version of Yubidrone . A remark: if we were forced to use this method regularly, we would exhaust the key much faster Also: this type of 'extra' protection does not help against theft. Indeed, it may even provide a false sense of security; the fact that one has to enter 3 OTP's may look impressive, but if one stole my key, he could simply press the key three times instead of once. I can't underwrite your statement that this is more secure than just pressing the key once, perhaps you'd care to explain this? Thanks and kind regards, -- Henk |
Author: | olov [ Tue Oct 13, 2009 9:59 am ] |
Post subject: | Re: Time delta server project |
Hi Henk, Thanks a lot for your feedback. fortean wrote: The interface currently does not work with Yubidrone (my G-phone's Yubikey emulation), as I have to switch between 2 apps (Yubidrone and the browser) which currently takes too much time. However, I will (of course) do my very best to circumvent this in some later version of Yubidrone . The allowed timespan between multiple OTPs is set to a value, currently 4 seconds. Maybe that's a bit to tight. I hope to gather some statistics on the demo site in order to come up with a reasonable default value for this timespan. fortean wrote: Also: this type of 'extra' protection does not help against theft. Indeed, it may even provide a false sense of security; the fact that one has to enter 3 OTP's may look impressive, but if one stole my key, he could simply press the key three times instead of once. I can't underwrite your statement that this is more secure than just pressing the key once, perhaps you'd care to explain this? True. I'll also add an example interface where the OTPs are supplied in the order of the user's pin code. This provides at least some protection for a stolen key as well as added security against eavesdropping since the OTPs will be transmitted in unknown order over Internet. Best Regards, Olov |
Author: | fortean [ Fri Oct 16, 2009 2:31 pm ] |
Post subject: | Re: Time delta server project |
olov wrote: Hi Henk, Thanks a lot for your feedback. [...] True. I'll also add an example interface where the OTPs are supplied in the order of the user's pin code. This provides at least some protection for a stolen key as well as added security against eavesdropping since the OTPs will be transmitted in unknown order over Internet. OTOH, one might argue that now a cracker has 4 OTPs from the same key so in effect it is LESS secure. If you want to protect users against theft of their keys, simply add a second factor, e.g. a pincode, passphrase, mandatory client side certificate, TAN code etc. etc. |
Author: | olov [ Mon Oct 19, 2009 10:10 am ] |
Post subject: | Re: Time delta server project |
fortean wrote: OTOH, one might argue that now a cracker has 4 OTPs from the same key so in effect it is LESS secure. Interesting point, from this perspective it might be good to always validate the first OTP against the validation server before the next OTP is requested. It might though add some inconvenience for the user who needs to wait for the validation process before the next OTP can be entered. fortean wrote: If you want to protect users against theft of their keys, simply add a second factor, e.g. a pincode, passphrase, mandatory client side certificate, TAN code etc. etc. Yes, this is certainly an option. Regards, /Olov |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |