Yubico Forum

Posting on the behalf of Vlastimil Ovčáčík:

Hello,

I would like to use Yubikey to encrypt/decrypt my saved passwords in Firefox 3.0 or higher. The passwords are protected by Master password. I know that Yubikey itself cannot provide the Master password, but Yubikey could authenticate me (me as possible Yubikey holder) on a server - and the server will provide the Master password...

Use case:

a) there is a user who have yubikey, user has Firefox 3.0, Firefox has installed extension (client), on the internet is a server
b) user starts Firefox and he wants to use one of the encrypted password saved in Firefox
(note: to decrypt the password we need Master password, the Master password will be provided by server)
c) the extension will ask user to provide OTP (by using yubikey)
d) the extension will send OTP to server (HTTPS)
e) server contacts Yubico Authentication Server (sends OTP)
f) Yubico Authentication Server send to server user ID and confirmation of OTP, otherwise (bad OTP) the process ends
g) server according to user ID and confirmation of OTP will send appropriate Master password to the extension (Firefox) (HTTPS)
h) extension now can decrypt saved passwords in Firefox 3.0

The Firefox extension implementation:

1) The extension can be implemented as whole new Password manager (see this) or
2) just use API of standard Password manager.

Server implementation:
The server just have to securely store Master password and provide appropriate Master password to authenticated user.

1) Maybe an OpenID server with yubikey authentication or
2) Something like OpenSSO with yubikey authentication or
3) Whole new implementation for this special purpose.

As you see I am not expert . I am looking forward for your comments. I would be very happy if we would find a secure way and at least thus flexible solution for storing passwords in Firefox. I believe that not only for me this would be killer app for Yubikey.

Regards
Vlastimil Ovčáčík

Thanks for posting this brilliant idea! The use case provided by you is excellent. YubiKey authentication can be implemented in Firefox password manager to provide master password as proposed by you.

I really like the idea.

If you want to strengthen this, you could ask the user to provide a local password as well, and the "password" recieved from the server would have to be decrypted using this password before being usable as the "master password" for the password store. This way, not even the server will know your "master password", which seems like a security advantage. Of course, users that don't want to remember a password can simply rely on the yubikey OTP. It would be the user's choice. Thoughts?

Thanks,
Simon

Is someone making this? is there a project in progress for this?

It's Firefox 4 now...
Iwould really like to use Yubikey for the FF Master password. Is there any progress?

(And Firefox 40+ now...)

How strange that this was not seen as a huge publicity possibility by the Yubico marketeers long ago.
Yubico should maintain such an addon themselves, one for each main browser.

Every IT media in the world would write about it regularly for free.
Wonder how that would affect sales...

From my perspective, I would want an add-on that woul require the presence of a Yubikey configured with Challenge-Response mode in addition to the normal master password, with the possibility to register more than one Yubikey for the Challenge-Response check, so that if one is lost or unavailable, one can use another with no extra effort. (And because of the increased security, we would have yet another reason to buy extra, spare Yubikeys just to secure access to the password archive...)

_________________
Regards,
Nomadus

I still think this would be incredibly useful - to protect our password archives.

_________________
Regards,
Nomadus