Yubico Forum https://forum.yubico.com/ |
|
Could a stolen Yubikey be used to emit a static passcode? https://forum.yubico.com/viewtopic.php?f=35&t=2291 |
Page 1 of 1 |
Author: | genealogyxie [ Thu Apr 28, 2016 3:29 am ] |
Post subject: | Could a stolen Yubikey be used to emit a static passcode? |
So I setup my Windows 10 Pro computer with Bitlocker according to this: viewtopic.php?f=16&t=1054&p=8575#p8575 It took me a while, but I realized what it was wanting me to do is program a regular password into the Yubikey so it will type in that password whenever I press the button. But if my Yubikey were stolen, wouldn't the hacker know the password? Seems like very low security |
Author: | ChrisHalos [ Fri Apr 29, 2016 12:25 am ] |
Post subject: | Re: Could a stolen Yubikey be used to emit a static passcode |
The button on the YubiKey is a capacitive touch sensor, not a biometric, so yes, anyone with physical possession of the YubiKey can use the Slot 1 / Slot 2 credentials. This is why we recommend, if you are going to use a static password, to have the YubiKey only provide part of the password (i.e. type in a short password, followed by using the YubiKey to send the remainder of the password). If you lose your YubiKey and someone finds it, they aren't going to know what the credential goes to, as there is no identifiable information on it. The only part of the YubiKey that requires validation before being able to use a credential is the OATH applet (although a password isn't required here), PIV, and OpenPGP. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |