Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 7:33 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: The Yubikey API??
PostPosted: Mon Oct 27, 2008 11:54 am 
Offline

Joined: Sun Oct 26, 2008 11:02 pm
Posts: 2
I have figured out how to in PHP authenticate with yubikey and bind to a database so far so good. I want to have that integrated on a community im in but not running.
does it compromise security if I tell him how I managed to integrate yubikey in a login procedure and I give him my API id,info which is a criteria for authenticating agains Yubicos servers?
If its a danger that I hand him my API key/id then what do I do to make login possible in places I do not control, I want it to be as much out on the internet as possible but I do not run that community to which I want to add yubikey authentication. I do not think he will misuse it or if he even can. But I will not compromise security regarding the yubikeys then the point goes away hehe.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

 Post subject: Re: The Yubikey API??
PostPosted: Mon Oct 27, 2008 10:45 pm 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
Why not asking the community owner to support using a Yubikey to login? It won't take more than a few hours to do so based on past experiences.

The site should use https to connect to https://api.yubico.com, and validate Yubico's ssl certificate.

If not possible, then you are right that if the Yubikey is owned by you, not by the community owner. Only you have the API key to sign the req and verify the response. Then sharing your API key w/ a trusted service provider can be a solution if you want all your requests/responses to be signed & verified.

Cheers

Asselberghs wrote:
I have figured out how to in PHP authenticate with yubikey and bind to a database so far so good. I want to have that integrated on a community im in but not running.
does it compromise security if I tell him how I managed to integrate yubikey in a login procedure and I give him my API id,info which is a criteria for authenticating agains Yubicos servers?
If its a danger that I hand him my API key/id then what do I do to make login possible in places I do not control, I want it to be as much out on the internet as possible but I do not run that community to which I want to add yubikey authentication. I do not think he will misuse it or if he even can. But I will not compromise security regarding the yubikeys then the point goes away hehe.

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  
 Post subject: Re: The Yubikey API??
PostPosted: Tue Oct 28, 2008 9:33 am 
Offline

Joined: Sun Oct 26, 2008 11:02 pm
Posts: 2
Hi Paul

I own a yubikey ofcorse.
I got it to work by authenticateing it agains yubicos servers, and matching the unique 12 characters of the yubikey agains a database containing this unique part of the key, thus success and i have a easy PHP based sollution even though I don´t have that much codeing experience not compared to at least other PHP sollutions I´ve seen.

I want the key to be able to be used anywhere.

the place i would like to see it added is a community run by a guy thats an asp coder thus I cannot impliment it my self.

Yubikey is a security token thus I don´t like the idear of revealing how its done and hand out my api key.

He don´t own a key and I will not ask him to by one just for it to work, its in my interest that it will work not his.

can i hash/mask my id or something? as my code is PHP i cannot in anyway let him borrorw code serverside remotely so he would not see the id/api.

what should i do? just hand him the technique behind the authentication and my API/ID? and trust that he will not misuse it? or do I have any other option? i doubt he has any way of getting OpenID, https or any other special means for this security mesure. I know its Open Source and ASP is not an Open Source language but yet it should be able to be done right?


Top
 Profile  
Reply with quote  
 Post subject: Re: The Yubikey API??
PostPosted: Thu Oct 30, 2008 8:20 am 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
Asselberghs wrote:
Hi Paul
....
I want the key to be able to be used anywhere.
....


Hi, Asselberghs,

I share the same passion to use Yubikey anywhere, did you try using MashedLife.com? It is the closest to the vision.

Cheers

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  
 Post subject: Re: The Yubikey API??
PostPosted: Wed Sep 30, 2009 9:08 pm 
Offline

Joined: Wed Sep 30, 2009 8:35 pm
Posts: 4
Why not ask the owner of the site to implement OpenID (pretty easy, there is an ASP library at www.openidenabled.com)? If you sign up with a site like www.clavid.com, they have implemented the OpenID server side library (OP) so that you can sign on with your Yubikey :D

ocibuy


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group