Simon wrote:
jwoltman wrote:
I agree with patgadet - since the Yubikey can be part of a multi-factor authentication system, it can be the "something you have" part.  So if a bad guy has physical access to your yubikey, then all bets are off and you're toast.  But that's the same if you have some other sort of security token.  A good system should probably employ a user+password+yubikey.
That's true.  However, a 10s-check catches the scenario where the attacker borrowed your yubikey for a few minutes, and generated a lot of OTPs and then returned the yubikey.  This can be a feasible attack that doesn't take many seconds.  Thus, a "best practice" for web sites that use yubikeys for sensitive stuff would be to require the user to authenticate several times and compare the time deltas.  If the yubikey is removed and re-inserted (i.e., counter=0), ask for another OTP and compare time deltas.
If you use a device with a battery then someone who gets a copy of the code sent to site A can not use it on site B (outside the few minutes in the time window).
It seems to me that if I was to use a Yubikey to authenticate to multiple sites, and if one of those sites was compromised or the key was captured in-flight then the attacker could use it to login to other servers.
For example let's say I want to login to two servers via ssh from an Internet cafe.  Let's also assume that I don't want to have them talk to each other (maybe they are owned by different people - and even if they were owned by the same person there are reliability issues in getting multiple servers to talk to each other).
So if I use a Yubikey on machine A then an attacker could use the same key to immediately login to machine B.  Now there is the option of using a password as well.  But if I was to use the same Internet cafe on multiple occasions (or do something else that allows a hostile party to get the password) then they win.
Realistically, few people have a threat model that involves an attack of that complexity (for basic 0wnage the simpler attacks work well enough that the bad guys are kept busy and wealthy).  Also for the case of ssh access a skilled attacker could own the terminal and take over a session once it was authenticated, fake a BSOD and make the user think that they just lost access.  A few hours of access while the legitimate user thought that they were having technical problems could do a lot of damage.
Also even if a device using Yubikey technology (USB keyboard based) had a battery and included a time-stamp, this would not prevent an attacker from logging in to server B within a matter of seconds of me logging in to server A.  So the battery backed keys that display a number are also vulnerable to the same attack.  It seems that solving this properly (in a cryptographic sense) would require that the key receive a challenge from the server.
As the caps-lock light is used for sending data to the key, I wonder if (using hardware that is more advanced than the current Yubikey) it would be possible to have an enhanced mode of operation which uses the caps, scroll, and num lock lights to transmit 3 bits of data per baud to send a challenge from the server, that should allow sending a 32bit challenge in a small amount of time but would require client software to manipulate the LEDs.