Yubico Forum :: View topic - Yubico Authenticator in OSX

dain wrote:

Full specification of the applet (as well as the source code) and the protocol it implements is available online already. I have also written code which is capable of extracting OTPs for all credentials stored on the YubiKey, it's called Yubico Authenticator and is available for major desktop OSes as well as Android.

Hah! Dain...do I detect a wee bit of snark?

---

I understand the threat model that OTPs are meant to mitigate: remote reuse of login credentials from a machine not under the control of the rightful account holder. Man-in-the-middle and/or Man-in-the-browser threats/attacks are generally out-of-scope for OTPs, but may become in-scope for certain OTP-enabled applications that require additional safeguards.

That being said, because a) the yubikeys (esp. nano/-n models) are often left in the USB port for long periods of time *and* b) because the desktop version of Yubico Authenticator will continuously generate TOTP codes for all accounts *and* c) because desktop systems can get compromised pretty easily...sum all three items together results in my opinion that leaving the code generation going on for hours/days by default is not the best default choice.

Having to remember to explicitly quit the authenticator (esp. because alt-f4 puts it in the windows system tray, continuing to generate codes) or pull out the key (which will interfere with PIV or PGP operations) seems to require a bit too much active mitigation on the part of the end user. It's not "default safe", it's "default convenient".

Relating to the issue ticket I put into github: the safest behavior would be an optional touch-required mode w/ the flag configured in the authenticator but stored and enforced by the applet. This would likely require applet changes and therefore new hardware - so it would be safest but not really optimal to solve the issue today. A second choice mitigation would be hard-coding a small number of consecutive code generations before the password is discarded and re-prompted for. A third choice mitigation would be a local setting for number of consecutive code generations (with 0 for continuous). I also understand that a single-code-before-relock is also not optimal due to bad-luck timing, so that being hardcoded would probably not work well.

In the short term for current users that really need a physical lock on the code generation...

Since the two classic slots already support touch-required and can now be utilized for TOTP codes with the desktop authenticator: if there's a particular account that is very sensitive, then store that account's TOTP secret in one of the two classic slots and configure that slot to require touch.

Just some thoughts.

Thanks,
Brendan

Author:	dunkel [ Tue Nov 10, 2015 7:01 pm ]
Post subject:	Re: Yubico Authenticator in OSX
brendanhoar wrote: dain wrote: Full specification of the applet (as well as the source code) and the protocol it implements is available online already. I have also written code which is capable of extracting OTPs for all credentials stored on the YubiKey, it's called Yubico Authenticator and is available for major desktop OSes as well as Android. Hah! Dain...do I detect a wee bit of snark? --- I understand the threat model that OTPs are meant to mitigate: remote reuse of login credentials from a machine not under the control of the rightful account holder. Man-in-the-middle and/or Man-in-the-browser threats/attacks are generally out-of-scope for OTPs, but may become in-scope for certain OTP-enabled applications that require additional safeguards. That being said, because a) the yubikeys (esp. nano/-n models) are often left in the USB port for long periods of time and b) because the desktop version of Yubico Authenticator will continuously generate TOTP codes for all accounts and c) because desktop systems can get compromised pretty easily...sum all three items together results in my opinion that leaving the code generation going on for hours/days by default is not the best default choice. Having to remember to explicitly quit the authenticator (esp. because alt-f4 puts it in the windows system tray, continuing to generate codes) or pull out the key (which will interfere with PIV or PGP operations) seems to require a bit too much active mitigation on the part of the end user. It's not "default safe", it's "default convenient". Relating to the issue ticket I put into github: the safest behavior would be an optional touch-required mode w/ the flag configured in the authenticator but stored and enforced by the applet. This would likely require applet changes and therefore new hardware - so it would be safest but not really optimal to solve the issue today. A second choice mitigation would be hard-coding a small number of consecutive code generations before the password is discarded and re-prompted for. A third choice mitigation would be a local setting for number of consecutive code generations (with 0 for continuous). I also understand that a single-code-before-relock is also not optimal due to bad-luck timing, so that being hardcoded would probably not work well. In the short term for current users that really need a physical lock on the code generation... Since the two classic slots already support touch-required and can now be utilized for TOTP codes with the desktop authenticator: if there's a particular account that is very sensitive, then store that account's TOTP secret in one of the two classic slots and configure that slot to require touch. Just some thoughts. Thanks, Brendan I would call it a wee bit of arrogance. Thank you, this clarifies the issue a bit although it doesn't fix it.

Author:	dain [ Wed Nov 11, 2015 4:20 pm ]
Post subject:	Re: Yubico Authenticator in OSX
I'm sorry if you took offence, let me instead address your complaint and why I don't see it as a very serious issue. The YubiKey NEO has never claimed to protect usage on a malware infected computer, because doing so is practically impossible. Say we add a button press requirement to generate an OTP. If you cannot trust the machine you are using due to malware, how can you know that the button you're pressing will unlock the intended credential, and provide it to the intended recipient, for the intended purpose? If you encrypt or decrypt something on a compromised computer, then malware can steal the plain text and key. If you sign anything you cannot know what is being signed. At this point you've already lost. Claiming that something is useless because it can be circumvented is a fallacy, akin to saying that all locks are useless since the attacker might steal your key. The password protects you from unauthorized usage if someone gains physical access to your YubiKey. Could you quote the exact page and section of the website that you feel is misleading? That's obviously not our intent, so hopefully we can word it better. Please be as specific as possible.

Yubico Forum https://forum.yubico.com/

Yubico Authenticator in OSX https://forum.yubico.com/viewtopic.php?f=26&t=2077	Page 2 of 2

Page 2 of 2	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/