Yubico Forum

Dain,

Thanks for the quick response.

Am I correct that when you get the request for password you submit my OTP for authentication through the Yubico server before returning the password?

Dick

Edit: Sorry to bother you. I found the answer in the Wiki. Should have looked first.

I undestand that this is how it works. Could you consider a future option to be able to use two-factor? Like you can setup revocation code, you could set passphrase. It would work like this:

1) When setting passphrase (first time or resetting it to another phrase) it loads all previous data stored and re-encrypt that including also passphrase in crypto (adding one more layer to backend security)
2) When using Keygenius, backend checks for session key. If it's not set, your backend want's to get your passphrase and if it's priovided it returns random BLAABLAA as a session key that keygenius clientcode stores into memory.

Passphrase wouldn't be stored into your system at all. It's just used in encryption/decryption. For example, listing sites would also ask passphrase + OTP. It should be possible to leave passphrase empty if you don't want extra layer of security.

How to provide passphrase? Two ideas:
1) give a popup when it's needed. Problem: It's difficult to give popup with password-entry field that doesn't show typed characters

2) Passphrase is written into the passwordfield before you press Yubikey. If it's missing and hasn't been already stored for that session, popup is shown that says "Please enter your passphrase in front of password field and press your Yubikey".

I would prefer 2nd idea.

I've made some updates to KeyGenius!

In the backend: Domain name checks are now done for the longest matching domain name "path". For instance, say you have a password stored for facebook.com, but you are logging in to login.facebook.com. If you have a password stored for login.facebook.com, then it is returned as normal, but if you don't, then everything up to and including the first dot is removed, and the url is tried again (facebook.com), until only one dot remains, in which case the lookup fails. This should solve a lot of problems with redundant passwords being stored for each subdomain that uses the same login, but still allows different passwords if needed. Note that the whole domain (except for www, if present) is used when storing passwords using the + or +++ prefix, so the easiest way to store a password for a higher level domain is by using the site management page.

In the plugin:
I rewrote a lot of the plugin to better coexist with existing javascript on pages. When possible, KeyGenius now clones each password field and displays the clone instead of the original. Once a password is returned from KeyGenius, it is entered into the original hidden field, and on submit, the clone is destroyed. In some cases the old method of adding event listeners to existing elements is used, namely when the original input is determined to be invisible.

For instance, facebook has a password-field that it hides on pageload, displaying another field instead. Once you focus that field, it is hidden and the password field is shown. If KeyGenius were to clone the invisible password field it would remain invisible, and thus it wouldn't work.


If the update causes any strange behaviour to occur with any sites that were previously working, please let me know!

Cool changes! I'll let you know if those fixed my earlier problems. And congralutaions for your win! Like I said, you already got my vote, I'm glad you got also jurys vote

And please consider my idea of adding possibility to use passphrase to really nail it!

Thanks! I'll concider allowing an optional passphrase for added security. If I do implement this I think it would be used completly locally


EDIT: That's strange, it seems most of my message got cut off.
Anyway, what I wrote was that I would probably optionally encrypt and decrypt locally in the browser, requiring you to enter the extra passphrase each time you want to access the password. The pros of this is that you never submit your actual password anywhere but to the site where you are using it. The cons are that the plugin would grow a bit in complexity to allow this new functionality, and would have to include an encryption algorithm.

Hi, Dain

Firstly, KeyGenius is a genius idea! Love it.

I too am awaiting eagerly for open source release of the back end. I am willing to help in documenting/cleaning the code if you don't have time. What are the requirements to install the backend? What language is the code in?

Hi Hacho!

The open source backend is almost ready, http://kg.yubico.com is currently using the rewrite I'm doing, so it's fully functional. It is running on a basic LAMP stack (Linux, Apache, MySQL, PHP), using the Symfony web framework which is written in PHP. To run the KeyGenius backend yourself you will need PHP5 and a database supported by Symfony. I doubt I'll have time to get the code up before the RSA conference next week, but I expect to have it available shortly after that.

The backend source is now available for download!
There isn't much documentation available for now, but you can download the code and run it yourself. It is available at:
http://code.google.com/p/keygenius/
You will need to use SVN to get the code.

Please post any quertions you have about it, or any feedback you wish to give.

I'm rather curious about keygeni.us (AppEngine) in comparison to kg.yubico.com. Are you using python for this? Or java? Or one of the many languages that runs on top of java? I'm guessing that the backend there is not php. If it's ruby or python, I would love to see the source code as every now and then I find time to scratch an itch or two.

Kindest Regards,
tim ^,^

Does anybody have this working with Chrome and greasemetal? For me it captures passwords, but I have not successfully used it to log on. What is the best way to debug?
--
John Cooper