Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 4:42 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: Password syncing
PostPosted: Mon Sep 07, 2009 8:18 pm 
Offline

Joined: Mon Sep 07, 2009 8:14 pm
Posts: 4
Hi all.
First, I have to say this is one of the best products I have ever used.

Second, my question. I don't know how really to ask it, so I will rather be explaining it by example.

Let's say I got 2 or 3 YubiKeys and I use the kg for passwords.
Is it possible for them to use the same kg account?
Example, I add passwords to the kg account, and it can be used with the other 1 or 2 yubikeys?

Thanks.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

 Post subject: Re: Password syncing
PostPosted: Wed Sep 09, 2009 9:27 am 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
Generally speaking, it is up to the service that you are using yuor Yubikey with to handle dealing with lost keys, some may do it and others may not.

For KeyGenius, you currently can't have more than one key per account. You can however change which Yubikey you use to access it. This can be done even if you lose your Yubikey, as long as you are using the new two factor authentication for KeyGenius (Accounts). KeyGenius uses the other form of authentication (password) combined with an email confirmation to accomodate this.


Top
 Profile  
Reply with quote  
 Post subject: Re: Password syncing
PostPosted: Sun Sep 13, 2009 2:34 am 
Offline

Joined: Mon Sep 07, 2009 8:14 pm
Posts: 4
dain wrote:
For KeyGenius, you currently can't have more than one key per account. You can however change which Yubikey you use to access it.

I need it for keygenius.
And don't mean to change keys :)
Maybe this can be done in future, I personally need this option and find it useful (don't know if others agree) since for websites where you will need to keep your colleagues with the latest password to access some service (and you change it pretty much often).


Top
 Profile  
Reply with quote  
 Post subject: Re: Password syncing
PostPosted: Fri Sep 18, 2009 2:13 pm 
Offline

Joined: Fri Sep 18, 2009 2:09 pm
Posts: 2
I was going to ask about the multiple yubikey question and thought I'd check here first.

Couldn't I use the export to csv function and then import the information to a new account with a different Yubikey. This would not be as convienient as multiple keys since every time you add a new site you'd have to add it to the other account or accounts, but appears to be a workaround.

Would this work and what are the security risks?

Thank
j30sailor


Top
 Profile  
Reply with quote  
 Post subject: Re: Password syncing
PostPosted: Fri Sep 18, 2009 2:44 pm 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
Multiple Yubikeys per account does seem like a good feature for KeyGenius, so I'll see about adding it in the future.

You could definitely export passwords to CSV and import them under another KeyGenius Account, and share them that way. The problem, as you correctly identified, is that you would have to keep all the accounts in sync when adding or changing passwords. As far as I can tell there are no added security risks, other than the obvious one: The security now depends on several people instead of just one.


Top
 Profile  
Reply with quote  
 Post subject: Re: Password syncing
PostPosted: Fri Sep 18, 2009 3:04 pm 
Offline

Joined: Fri Sep 18, 2009 2:09 pm
Posts: 2
Good point, would love to see multiple support.

My issue is to make sure I have the Yubikey with me. One on my keychain, one in my home machine which is physically secure.

Also see it as a great way to prevent changing passwords. Disable one Yubikey and keep using the other if you lose one.

j30sailor


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 18, 2009 6:50 pm 
Offline

Joined: Fri Sep 18, 2009 6:29 pm
Posts: 3
Just got a used yubikey from ebay for $5! Curious to try it out because of all the marketing buzz generated around it. Check if it can replace SecurID in my intranet deployment and do more.

But after trying it for a week, I am disappointed. Almost all the services/apps claiming supporting yubikey are either half-cooked hacks or not working at all.

For example, John Salter's video showing PasswordSafe is a smoke screen. It only supports Yubikey logon from a locked state, but not using Yubikey to log in.

TrueCrypt case is also a marketing fluff since it uses static password and no integration with Yubikey at all. The yubikey integration PbWiki is a total mess, I still can't get it to work.

KeyGenius, lastpass and even this forum's support for Yubikey are like weekend hacks, can't even use an extra key for backup or handle lost keys. Rohos is unstable on my Windows Server 2008 so I uninstalled it.

Only Mashedlife is more serious in supporting yubikey, but not as professional as the SecurID solution I'm using now.

Besides Mashed life I wonder if there is anything that is real, not marketing fluff, and better documented I can follow the best practice in integrating yubikey?

Thanks


Top
 Profile  
Reply with quote  
 Post subject: Re: Password syncing
PostPosted: Mon Sep 28, 2009 6:39 pm 
Offline

Joined: Mon Sep 07, 2009 8:14 pm
Posts: 4
Thanks everyone for the support and I hope this gets implemented in the close future.


Top
 Profile  
Reply with quote  
PostPosted: Mon Sep 28, 2009 8:54 pm 
Offline

Joined: Fri Jun 19, 2009 6:06 pm
Posts: 31
Basal wrote:
Just got a used yubikey from ebay for $5! Curious to try it out because of all the marketing buzz generated around it. Check if it can replace SecurID in my intranet deployment and do more.
[...]
Besides Mashed life I wonder if there is anything that is real, not marketing fluff, and better documented I can follow the best practice in integrating yubikey?


I have worked with both SecureID and the Yubikey. SecureID is MUCH more complex to set up, requires special server software which is not Open Source and must be payed for (deerly). Also, the tokens require a battery and run out after a few years. Instead of being able to replace the battery, you'll need to by a new token. So, it is in an entirely other league than the Yubikey.

Is it more safe than the Yubikey? The weaknesses I could find in the Yubikey were:
  • the encoded string contains a checksum. Hence, given that somebody tries a brute force attack, he has a method to detect if he had success decoding the string (the CRC matches). Given the time needed to crack a message encrypted with an 128 bit AES key I don't see it as a BIG weakness, but it is a weakness nevertheless.
  • The Yubikey's OTP is not connected with real time in any way. This allows for a special type of man-in-the middle attack, which was described on this forum. It works by capturing the key before it is sent to the authentication server, generate some time out failure, have the user generate the next key and then use the first key to perform some transaction.
  • If you use ONLY the Yubikey, loosing your key is loosing your identity. If someone finds your key and - given he knows where you used it - enters your websites with it, you're lost. The same applies to the SecureID token. However, as with the SecureID token, a second factor can be used to prevent this (e.g. passphrase, pin etc.)


However, implementing Yubikey authorisation is VERY simple, does not cost much and works on almost all platforms. I can't really understand your point of view w/regard to the Yubikey at all, nor can I suggest other / better solutions, given that you have already tried SecureID and Yubikeys. Sorry, mate.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group