Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:27 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Mon Jul 04, 2016 8:55 pm 
Offline

Joined: Sat Jul 02, 2016 8:31 am
Posts: 8
Location: UK
While reading http://www.yubico.com/wp-content/upload ... ide_en.pdf I saw
Quote:
9 b. In the Yubico AES Key Upload window, compare YubiKey prefix with the results from the text editor.
Type the CAPTCHA, and click Upload AES key

I guess the captcha is preventing some service abuse or overload, but... isn't an OTP stronger protection?

Hence a suggestion: a useful captcha-like service asserting that OTP key $foo has issued no more than $n tokens in the last $t hours.

Maybe I have 500 keys on a carousel doing a plug, dab and move cycle... but this limited resource doesn't look farmable or botnettable.

If the assertion service was rogue, it would have a stream of fresh OTPs it could try elsewhere. How big is the risk to the key owner here?

Have I misunderstood the need for registering the key before use? Does attestation (hence u2f not otp) help here? Can the service usefully use one u2f keyhandle against many not previously registered keys?

_________________
--
2016-07: 2*Yubikey4, 1*U2F


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Jul 05, 2016 4:06 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
The AES key upload is only for the Yubico OTP credential you're programming - nothing else. It has nothing to do with U2F.

The CAPTCHA is there because we can't require a Yubico OTP there - since this page is used for uploading the Yubico OTP credential that was just programmed, the service has no knowledge of your credential.

For some reason, a decent amount of customers receive their YubiKey and decide it's a good idea to wipe the default credential in slot 1 and generate a new one (in this use case, the OTP credential has been deleted, so there is no way we could require an OTP here).


Top
 Profile  
Reply with quote  
PostPosted: Tue Jul 05, 2016 7:51 pm 
Offline

Joined: Sat Jul 02, 2016 8:31 am
Posts: 8
Location: UK
Yes, I see that in this instance there is a bootstrap problem with using OTP for captcha.

Also, after the AES key is replaced with a non-factory one, presumably Yubico can no longer vouch that the OTPs were made by hardware? And therefore it's open to flooding from multiple ids, in software.

On U2F, I wondered if it is better value for captcha. Older keys don't have it, so maybe it's not good for OTP AES key replacement. But it can be verified as hardware even by third parties, so maybe it's useful for blog posts?

ChrisHalos wrote:
For some reason, a decent amount of customers receive their YubiKey and decide it's a good idea to wipe the default credential in slot 1 and


If I were doing that, it could be either ineptness or some ill-defined fear of other people's secrets. Or I just needed two slots for a while..? (I'm n00b)

_________________
--
2016-07: 2*Yubikey4, 1*U2F


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group