Yubico Forum

I have figured out how to in PHP authenticate with yubikey and bind to a database so far so good. I want to have that integrated on a community im in but not running.
does it compromise security if I tell him how I managed to integrate yubikey in a login procedure and I give him my API id,info which is a criteria for authenticating agains Yubicos servers?
If its a danger that I hand him my API key/id then what do I do to make login possible in places I do not control, I want it to be as much out on the internet as possible but I do not run that community to which I want to add yubikey authentication. I do not think he will misuse it or if he even can. But I will not compromise security regarding the yubikeys then the point goes away hehe.

Why not asking the community owner to support using a Yubikey to login? It won't take more than a few hours to do so based on past experiences.

The site should use https to connect to https://api.yubico.com, and validate Yubico's ssl certificate.

If not possible, then you are right that if the Yubikey is owned by you, not by the community owner. Only you have the API key to sign the req and verify the response. Then sharing your API key w/ a trusted service provider can be a solution if you want all your requests/responses to be signed & verified.

Cheers

_________________
The YubiKey Server Guy

Hi Paul

I own a yubikey ofcorse.
I got it to work by authenticateing it agains yubicos servers, and matching the unique 12 characters of the yubikey agains a database containing this unique part of the key, thus success and i have a easy PHP based sollution even though I don´t have that much codeing experience not compared to at least other PHP sollutions I´ve seen.

I want the key to be able to be used anywhere.

the place i would like to see it added is a community run by a guy thats an asp coder thus I cannot impliment it my self.

Yubikey is a security token thus I don´t like the idear of revealing how its done and hand out my api key.

He don´t own a key and I will not ask him to by one just for it to work, its in my interest that it will work not his.

can i hash/mask my id or something? as my code is PHP i cannot in anyway let him borrorw code serverside remotely so he would not see the id/api.

what should i do? just hand him the technique behind the authentication and my API/ID? and trust that he will not misuse it? or do I have any other option? i doubt he has any way of getting OpenID, https or any other special means for this security mesure. I know its Open Source and ASP is not an Open Source language but yet it should be able to be done right?

Hi, Asselberghs,

I share the same passion to use Yubikey anywhere, did you try using MashedLife.com? It is the closest to the vision.

Cheers

_________________
The YubiKey Server Guy

Why not ask the owner of the site to implement OpenID (pretty easy, there is an ASP library at www.openidenabled.com)? If you sign up with a site like www.clavid.com, they have implemented the OpenID server side library (OP) so that you can sign on with your Yubikey

ocibuy