Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:10 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Sun Jun 02, 2013 5:07 pm 
Offline

Joined: Tue May 28, 2013 2:14 am
Posts: 4
NOTE: This project is still in the prototyping phase, but I'm posting early for three reasons:
  • I want to let people know what I'm working on to get a sense of the interest.
  • I want to give Yubico the chance to object to this before I submit any code to pwSafe. I would be sad if Yubico squashed this project, but I would be so much sadder if they sued me under the DMCA.
  • By posting this publicly, I'm putting some pressure on myself to actually get this done.


Project Name: YubiKey emulation for pwSafe on iOS

License: TBD (depends on how things work out with the pwSafe team)

Description: The goal of this project is to add YubiKey-compatible HMAC-SHA1 challenge-response emulation to pwSafe for iOS so that safes can be shared between Windows PCs and iOS devices without sacrificing two-factor authentication.

Platforms: Hopefully all iOS versions supported by pwSafe

Webpage: The plan is to submit the code to App77 for inclusion in pwSafe, so unless there is a reason to post some of my code separately, I probably won't create a separate site.

Tutorial: None yet, but if App77 accepts my code, the pwSafe FAQ should get updated


Background
I use Password Safe on Windows and the pwSafe app on my iPhone. I want to have access to my safes wherever I am, but I don't trust Dropbox enough to feel confident protecting my safes with just a password. Enter YubiKey, which saves the day with super-simple two-factor authentication! I can use it to securely access my safes from anywhere in the world ... except on my iPhone.

Some companies that produce less convenient hardware authentication tokens (e.g. for authenticating with your company's VPN) provide phone apps that emulate the functionality of the hardware token. Wouldn't it be nice if my iPhone could emulate my YubiKey, at least as far as pwSafe is concerned?

Status
After quite a bit of experimentation, I was able to write a simple Python script that accepts my Password Safe password and my YubiKey secret and generates the response required to unlock my YubiKey-secured safe (without using my YubiKey). The next step is to implement the equivalent code in Objective-C along with code for securely storing the YubiKey secret. Finally, I'll need to make changes to the pwSafe UI and contribute all of this back to the pwSafe team. (Isn't open source great?!)

I will post again or update this post as I make progress. I will also be updating a related thread on the pwSafe forum: http://pwsafe.uservoice.com/forums/118319-general/suggestions/3050099-add-yubikey-otp-support

I'd love to hear feedback from folks who think this is valuable and folks who have suggestions/questions/security concerns. I'd also love to hear something from the Yubico team so I don't have to live in fear of receiving a DMCA cease-and-desist letter.

Thanks in advance for any feedback!


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Jun 10, 2013 10:48 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Please read your PM.

_________________
-Tom


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group