Yubico Forum

Winchester Password System Standard should be mandatory for Yubikeys. (WPS Standard)

I'm thinking all software that allows a usage of Yubico Yubikey OTP, should give us (the user) the option of storing a second Yubikey OTP. This would be for when the current Yubikey goes bellyup, gets lost/destroyed/eaten/etc...
It could allow people to leave a Yubikey at home and another Yubikey with the laptop or at work, where-ever...

True physical access becomes a Medium-Low security situation, while leaving online security intact.
But physical access will regardless-always be a problem for the paranoids-geekoids.


(Ok, maybe only the old-tymers who recall Winchester hard drives may understand the reference.)

I very well remember my first ST-506 Winchester drive, I guess it was some 5MB or so. A big and expensive bastard It eventually was replaced with a ST-412, I guess it had the double capacity. An unimaginable volume back on a mighty CP/M machine.

(*sigh*, snip)

I've been trying to understand a bit more what the Winchester password system is about, but with limited sucess. Can you please provide some additional information or an appropriate link that describes what we can add.

Regards,

JakobE
Hardware- and firmware guy @ Yubico

Applications like WordPress, Truecrypt, SquirrelMail, and Google Apps could keep the information on 2 Yubikeys.

ie) In the picture of WordPress you are asked for a Username, Password, and Yubikey OTP.

A spot for an optional Alternative Yubikey OTP could easily be added in.


By giving the option several things happen (well, at least for people with 2 or more Yubikeys).
-It wouldn't be a big concern if a Yubikey is left at work, that's if you also kept one at home. Because you'd still have access.
-Losing a Yubikey wouldn't mean a big hassle. You could log in to the few applications that you use and remove the lost Yubikey and later put a new Yubikey OTP in when the new one arrives.
-This could also allow the use of both a Personalized Yubikey (with a self-assigned OTP) and also a standard (Yubico issued) Yubikey OTP.
-Gives the option of putting a Yubikey away with will, or in a safety deposit box etc...
-Allow the sharing of services/programs in a secure manner. A kind of joint account between husband and wife.
-People (who think ahead) may purchase 2 Yubikeys instead of just one, or may be more inclined to purchase a second one later on.


True enough not everyone would put a second Yubikey OTP in, some people are ultra-paranoid etc...
But not everyone see's the world as a Red Alert 24/7, some people see security in terms of: normal, low, medium, high.
Since it is just an option, it should not pose a problem for the average person and using the average application.
It could give more a sense of security for the average user who may leave the Yubikey at work, or is concerned about losing the Yubikey.

Yes, very good idea! Please someone implement this

The decision to accept 1, 2 or more keys to grant acces to the SAME account lies entirely with the provider of the website. All he needs to do is maintain multiple records in his database, in which the connection between account and key is made. E.g. he may have the following records in his database:

keyid=ccccccccfkng name=fortean md5sum=c8f1ee9a7c5fd4b3c66d7559e99807d0
keyid=vvtinkerbellvv name=fortean md5sum=c8f1ee9a7c5fd4b3c66d7559e99807d0

.. note that the keyids differ, but the other fields are the same, which in effect requires fortean to type in the same passphrase, but allows him to either present vvtinkerbellvv or ccccccccfkng. You could also require two different passphrases etc.