Yubico Forum https://forum.yubico.com/ |
|
Dual usage Yubikey https://forum.yubico.com/viewtopic.php?f=4&t=287 |
Page 1 of 2 |
Author: | Jakob [ Mon Mar 09, 2009 12:29 am ] |
Post subject: | Dual usage Yubikey |
A question that comes up often is the desire to use the Yubikey for multiple purposes, i.e. having two (or more) independent configurations in a single Yubikey. Since we introduced the static OTP feature and opened up for TrueCrypt usage, we get questions in and around this matter several times a week. I agree - it is a sensible feature indeed. A straight-on approach is to have a Yubikey with two buttons, where each button triggers an OTP according to configuration 1 or 2. The basic scenario would then be that the first configuration is a dynamic OTP, linked to the Yubico authentication service. The second configuration is then user defined and could then be a static OTP for use with a local TrueCrypt- or PGP setting. It probably goes without saying, but the configurations would of course be identical in functionality and freely configurable. Apart from the obvious obstacle of having a second design, I am a bit concerned that although IT professionals may find it obvious, it will be confusing for "normal" users. Maybe this second concern should not be taken so seriously after all. Just like we have multiple buttons on the remote control, switching between cable, DVD and VCR, we could maybe live with it. However, making a dual-button Yubikey won't happen in the near future. Therefore, just as a quick poll without promising anything - how about making a dual usage of a single button, within the scope of the current hardware ? Not entirely sure what the best way would be, but just venting some ideas: One option can be: - A single tap on the button 0.3 - 1.5 seconds -> trigger OTP 1 - Holding for 3 seconds or more -> trigger OTP 2 I guess the the OTP shalll be triggered when the button is released... ? Alternative 2: - A single tap on the button -> trigger OTP 1 - A "double-click" like a mouse double-click -> trigger OTP 2 Alternative 3: - A toggle function setting the default OTP configuration 1 or 2. - Holding the button for 3 seconds toggles. - A single tap triggers the current OTP - The LED flashes differently when idle depending which configuration is selected Other ideas ? What do you think ? Just confusing and a source of problems ? Worth mentioning is that if such a function would be implemented, it shall of course be configurable. If not configured, the Yubikey would work as today. Regards, Jakob E Hardware- and firmware guy @ Yubico |
Author: | Dick [ Mon Mar 09, 2009 10:04 pm ] |
Post subject: | Re: Dual usage Yubikey |
My YK is plugged into the front panel of my "desktop" computer which stands vertically on the floor under my desk. I reach down to touch the button, generally without looking at it. Double tapping or short/long tapping could be awkward so I think alternative 3 would be easier to use and less prone to errors. I'd like the startup configuration to be programmable or to be set to what it was when last inserted. Dick |
Author: | iipee [ Mon Mar 09, 2009 10:37 pm ] |
Post subject: | Re: Dual usage Yubikey |
Alternative 1: I think this is the best one Alternative 2: Some times Yubikey is not very steady when inserted. I believe double tapping isn't always easy Alternative 3: In this user doesn't have to know he has two different modes. In that case if he acccientally changes mode he's lost. I would think in my case I would need static pwd in boot and after that only OTP. I would rather hold 3 seconds on boot that "spending extra 3 seconds" just changin mode. |
Author: | Kamikaze28 [ Tue Mar 10, 2009 9:04 am ] |
Post subject: | Re: Dual usage Yubikey |
iipee wrote: Alternative 2: Some times Yubikey is not very steady when inserted. I believe double tapping isn't always easy As far as I can tell, Yubikeys will never ever be steady in any standard USB port - just by design. "Usual" USB plugs have this metal casing which the Yubikey lacks - this metal frame is just meant to sabilize and lock the connection. As the Yubikey lacks this frame and is just half as thick as the USB plug is designed for, it will always be a bit wobbly. Don't get me wrong though, the data-connection is fine, because the contact on the plug-side are flexible. BTT: #1: 0.3 seconds as the lower threashhold could be a bit low and thus may allow accidental submission of OTPs. Still, I think this is the most promising way, once you have the timing. Currently I leave my finger on the key until I can see it typing - which I shouldn't do if I configure OTP2 to be the Static one. #2: This seems to be the most intuitive way to go - but still, there is the opportunity for accidental OTPs as 'taps' are very short and the Yubikey has to be quite sensitive to register them. #3: I think, this is the most compley solution as it can hardly be operated blindly. Depending on where your Yubikey is plugged in, it can be troublesome to determine in which mode the key is right now. One additional thought: If you switch modes, you probably want to emit an OTP in the new mode, so why not say "Holding the button for 3 seconds toggles modes and emits an OTP in the new mode". |
Author: | JH2007 [ Fri Mar 20, 2009 3:09 am ] |
Post subject: | Re: Dual usage Yubikey |
I hope I'm not too late to this discussion. Well Jakob I slept on it and a month later, I came full circle to the same form factor (see design A2). "Other ideas?" Yes I have a few, see some concepts animated here. http://www.execulink.com/~jhewitt/forms ... twork.html Several designs are only as rough sketches, penciled notes, and observations that aren't worth even adding to the page. Regardless, let me know your thoughts Jakob. I can provide more info of my investigations and elaborate. (Just not sure if you'll find any of it useful.) PS. The "two button Yubikey" would offer Alternative 4: - Button 1 -> trigger OTP 1 - Button 2 -> trigger OTP 2 - Button 1+2 -> trigger OTP 3 - Button 1+doubletap2 -> trigger OTP 4 - Button 2+doubletap1 -> trigger OTP 5 |
Author: | JH2007 [ Fri Mar 20, 2009 3:20 am ] |
Post subject: | Re: Dual usage Yubikey |
I forgot to make note of D3 (as static image only) it simply shows 4 holes where the rubber/plastic "bumpers" could be attached by the end user. I'd suggest a Yubikey could come with say 3-5 basic colours, and Yubico could retail an Accessory Kit with say a dozen+ other colours. Of course the parts could be glued on, melt together, riveted, bolted, etc... but sometimes it's just best to let the customer put the final touches on. I was thinking of a thin plastic "bumper", one on each side. This would also allow a person to put together more than one colour. I'd guess that letting the customer put the "bumpers" on, would be more economical too. |
Author: | dsaint [ Sun Mar 22, 2009 1:05 am ] |
Post subject: | Re: Dual usage Yubikey |
Hi: This is some serious online product design, permit me to add my two cents to the design process. I like the multiple buttons, but I think we can implement everything with a single button. We have a design with 4 or 5 indicator lights, why not use the 4 indicator lights and implement a binary or quasi-binary type sequencing. Reserve the 1111 (all on) for POST of the key and 0000 (all off) for the default. Use the one button as a toggle, press for 5-8 seconds to enter toggle mode where the key will sequence slowly through the options, press the button once again when you get to the one you are working with. The key would then signal by flashing the 1111 twice and then indicate the mode selected. Press the button 10+ seconds and reset the key to the default yubico config 0000. Other resets can possibly be made, perhaps a reset of all but the default code. The key can then have the default plus up to 13 additional operational modes ( if the electronics can allow that many). We could use 3 indicator lights, with 6 modes or a 2 indicator with 2 modes in addition to the default. Yes, please let the key be able to remember the last setting, let this be an option when the key is programmed by the user, either to keep the last mode or always go back to default. I should think that the default operation without any user programming should be to not toggle; we therefore remove any confusion with users who want to keep it simple. It is probably cheaper to design the 4 button and produce in bulk, but, I suspect that most people will only need the 2 or 3 light, only uber-geeks would want or need a 4. Hence we might want to sell a 3 as a compromise. |
Author: | JH2007 [ Sun Mar 22, 2009 5:50 am ] |
Post subject: | Re: Dual usage Yubikey |
Thank you dsaint. Personally I feel that the default plus 3 indicator lights would be sufficient. But the designs are just concepts and as you mentioned it is the underlying engineering and costs that are often a determining factor. I had thought of the light colours pulsing versus steady state for mode/password indicators but this is something that seems to really confuse the non-geeks/IT. You know, it didn't start as "product design" just simple creations to get something that will work. Basically, I've been looking at using Yubikey as Inventory control and POS (Point of Sale) for a small business. But the recipients are not techno-geeks or IT-pros... So While showing many of them the Yubikey I often heard 2 comments. What happens if I loose it? and How can I put my password on it? The finer points of the Yubikey, DB and software, and all the security a Yubikey represents seems lost on everyone there. So I started sketching several designs, the first was a two button Yubikey that I emailed off to Jakob who express a desire for same formfactor one button designs. I've dozens of designs not worth posting because of serious design flaws or the dreadful confusion they will create (ie. design L). In brief: I kept sketching designs and seeing until I had some that seemed to not confuse the people I want to use the Yubikeys with. I almost forgot, only the F, M, and N series was two button design, all the others ended up as just ergonomic designs that people seemed comfortable with. |
Author: | Jakob [ Mon Mar 23, 2009 2:10 am ] |
Post subject: | Re: Dual usage Yubikey |
Thanks all for great input. Cool with the sample designs and implementations. Personally, I am slightly sceptical to the concept of making too much use of the indicator lights, independent if this means adding more than the current one or just adding different patterns of flashing etc. In the case the Yubikey is inserted at a slightly awkward location, or take a pretty common case - in the back of a laptop. Reaching with the finger is okay but checking out lights is a different game. Multi-colored indicator lights typically attracts bad feedback from color blind people. But thanks - We're working on a few sample implementations as I guess the best thing is to try it out in a real setting. We'll return when the time is ready to try it out... Regards, JakobE Hardware- and firmware guy @ Yubico |
Author: | JH2007 [ Tue Mar 24, 2009 4:21 am ] |
Post subject: | Re: Dual usage Yubikey |
Thank you Jakob. I think that all concepts at this point will have pros and cons. Let me brainstorm here a moment: I admit I'd forgotten about colour-blindness with the two designs A2, and J4. After some consultation I can state that if you stick to using Green and Blue combo, or using a Red and Yellow combination, then you'll be fine. Record their operation, then grayscale the recording and ensure that the two colours are distinctly different shades of gray for maximum compatibility. Or simply consult a colour-blindness medical specialist, because this field is well researched and documented. Morse Code? The idea of tapping some cryptic sequence into a yubikey that's plugged into the back of a computer or laptop, is just as useful as indicator lights... I don't think the average computer user would want to tap-tap-tap-tap-tap their way through passwords... This is especially true for persons with fine motor control difficulties, and I believe they outnumber colour blind persons. So how about adding a micro-speaker or piezoelectric/buzzer? Personally I'm tone deaf, so the speaker would be of no use to me. Except perhaps in the duration, but honestly, it'll just annoy me. So who needs what feature? - Hearing impaired or deaf persons may prefer: lights on, and sounds off. - Visually impaired or blind persons may prefer: lights off, and sounds on. - Deaf+Blind persons would require Braille cells, which are actually a fairly good solution to this entire problem, but they are very expensive, very bulky, and mechanical. Would a two button Yubikey overcome the plugged in the back of a laptop dilemma? No. Because if the average computer user can't see it then they are just fumbling around a large piece of equipment. And the laptops I've handled in the past ~6 years don't present me with the USB on the back issue... So perhaps Yubico should simply sell a generic USB gender swapping extension cables like the 3foot long ones sold at (dollar stores) for $1.00 CDN ? http://megacomputer.ca/product_info.php ... cts_id=132 This is turning out like that Jerry Sienfeild episode where he thinks back to every girl he dated and how he found something wrong with each of them. Summary: So a Yubikey with a speaker and two Complementary prime colours for light-indicators. Both sound and lights working as indicators and either/both can be toggled on/off may be the best solution. The personalization software should toggle the action between a tapping, versus a hold and let-go at certain indicator lights/sounds. I'd say that the timings themselves must all be 100% changeable through the personalization software and let the customer decide. But how much will the hardware for such a beast cost? It is exactly like having two or more standard Yubikeys in one package, and I assume the Economic Standard Yubikey will be still available. Especially for first time users and cost-minded businesses. Failing all of the above, I'll stay with the current version of the Standard Yubikey which is perfect for everyday businesses-related work/database/inventory/etc... usage. |
Page 1 of 2 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |