Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 4:17 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 19 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Thu Jun 05, 2008 9:05 am 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
There are good starting points:

http://msdn.microsoft.com/en-us/library/aa380543(VS.85).aspx

But are GINA DLLs ignored in Windows Vista?

How promising is pGINA? http://www.pgina.org/

Typically we just need to implement a CSP for a device and Windows login promot should be able to pick it up from there, will that work for YubiKey?

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Jun 17, 2008 12:08 am 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
One note here is that if you use a yubikey in "static OTP" mode, which is possible from firmware v1.3, it will be possible to use with any existing password-based Windows login. Just change your Windows password to the static OTP.

/Simon


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 20, 2008 3:04 am 
Offline

Joined: Fri Jun 20, 2008 2:59 am
Posts: 84
My company has done this:

http://AuthLite.com


Last edited by ferrix on Sat Jul 25, 2009 1:01 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 25, 2008 8:13 am 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
ferrix wrote:
My company is interested in building and selling a custom windows interactive authentication module (they are a lot of work). But don't worry, it will be affordable, like the keys :)


Thanks! This is exactly the kind of efforts that we from Yubico wants to encourage, companies should be able to develop applications or integration components and bundle them with yubikeys as a value-added service. Yubico isn't a integration company, so this co-operation is excellent for us. We have many potential customers asking for Windows login, and if you or someone else develops a solution for it, we'll send these customers your way.

/Simon


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 25, 2008 2:04 pm 
Offline

Joined: Fri Jun 20, 2008 2:59 am
Posts: 84
Yeah well we are also happy to let the customers get keys directly from Yubico, and just license the software. A better value for end users since they don't have to pay a percentage to us for the hardware.

Simon (et al) could you post any details about requests you've received? "log in to windows" is a very broad thing. I'm assuming most people want to do this in an organization and log in to active directory. But also some people may want to do this on their home (standalone) machines... I'm sure my fellow "Security Now" listeners probably fall into this "enthusiast" category..

So any details will be very helpful as we do development.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jun 28, 2008 1:10 am 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
In general it is like using a PC similar to using an ATM machine. Plug in the token, enter a simple/short PIN then you are in.

The requests on Windows login go into 2 camps as you may already knew:

* Secure an enterprise PC:

2nd-factor strong auth is the selling point. The PC can be online connected to a corp AD as well as off-line when you are travelling.

* Secure a personal PC:

Convenience is the driver. People do not want to leave the PC w/o a password
but do not like the hassle of remmebering & typing the password.

:ugeek:

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  
PostPosted: Sat Jun 28, 2008 1:20 am 
Offline

Joined: Fri Jun 20, 2008 2:59 am
Posts: 84
paul wrote:
* Secure an enterprise PC:

2nd-factor strong auth is the selling point. The PC can be online connected to a corp AD as well as off-line when you are travelling.


The only ways I can think of to allow offline access would be:

1) Have the AES key in the machine's TPM store, and log on with local validation. Neat but it's hard to administer because it requires a secure authority to visit each laptop and commit the AES key to storage.

2) Just look at the public ID of the yubikey since we can't decrypt it without access to the AD server.

3) The default-- don't require yubikey to log in locally, but when we get back to the domain and try to access net resources, do the OTP then.
----

This is the reason I want to have these discussions here. Using symmetric encryption can be tricky because storage of the secret becomes important, and because it's impossible to evaluate the identity without knowledge of the secret or connection to (in this case) the domain.

Or, were you talking about having the OTP validation connect out to a publically available server such as the Yubico one? But I bet enterprises will not want to trust their identity security to an external company.

I look forward to responses; trying to generate some good ideas and discussion so the product is as good as possible.


Top
 Profile  
Reply with quote  
PostPosted: Mon Jun 30, 2008 3:12 pm 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
paul wrote:
* Secure a personal PC:

Convenience is the driver. People do not want to leave the PC w/o a password
but do not like the hassle of remmebering & typing the password.


Right. I suspect that our "static OTP" yubikey will be a simpler solution for this camp.

I've asked the people who want "windows login" what they mean, but it seems there are soo many things they can mean that I lose track. I'm not a windows expert. Some are using Active Directory, which if I understand correctly, would mean that it is the server that needs to become yubikey-aware and not the client (or possibly both).

Doesn't windows support radius for login authentication? If so, getting it to work should be relatively easy, at least for demonstration purposes, via our Pam module and FreeRadius.

/Simon


Top
 Profile  
Reply with quote  
PostPosted: Mon Jun 30, 2008 3:28 pm 
Offline

Joined: Fri Jun 20, 2008 2:59 am
Posts: 84
Simon wrote:

Right. I suspect that our "static OTP" yubikey will be a simpler solution for this camp.


That is certainly an easy solution. I'm interested to see if the AES key can be pushed into the TPM chip and that way use the key in OTP mode.

Simon wrote:
Some are using Active Directory, which if I understand correctly, would mean that it is the server that needs to become yubikey-aware and not the client (or possibly both).


For logon to AD workstations, it's definitely both. The interface needs to change on the client, and there needs to be quite a lot of infrastructure code on the domain side.

But there are other scenarios. The first simple one we are supporting is to use the yubikey as a second factor to log in to the extranet, preventing remote password attacks and access. This solution would not change the way authentication to the workstations happens, only remote web authentication and VPN.

I'm just trying to get a feel for what the priorities are of the community (potential customers)

Simon if you don't want to field questions about Windows directly feel free to forward them to me at greg@collectivesoftware.com

Cheers!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group