Yubico Forum

Hi.

I wish to use the Yubikey to keep my company's most important clients safe (executives, those who travel alot, etc). I was thinking something along this way:

A locally non-administrative account to log in with (domain account). When there is a need for elevated permissions the user must use a local user in the local administrators group that has a static long password saved on the Yubikey. First I thought this was an OK idea until I realize that if the Yubikey is left in the computer all it takes is for an attacker is to know the user name of the local administrator account...

Any tips from all of you Yubikey experts in the forum? The most important part is that the user must use a non-adminstrative account for the daily work but have the possibility to install programs as admin without needing to remember a long password.

Thank you in advance!
/Dean Y

If you have a Windows domain, I would issue logon certificates and store the user certificate in slot 9A of the PIV applet on a Yubikey NEO. To log on, the user inserts their NEO and enters the PIV PIN.


Static passwords are of limited use - all it takes is to open a text editor, press the button and you have a copy of the password. If you must use a static password (for example for a disk encryption password), the recommendation is that you store only part of the passwords in the Yubikey and type the rest.