Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:56 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Mon Oct 12, 2009 11:48 am 
Offline

Joined: Mon Oct 12, 2009 11:29 am
Posts: 3
A reference implementation for using YubiKey time stamps to improve
security is started. The project is hosted at

http://code.google.com/p/yubikey-timedelta-server-php/

A demo server of the project is available at

http://timedelta.yubico.com

Feedback on the demo server is most welcome.
Especially on how the interface is perceived
from a user convenience and security perspective.

-
Olov Danielson
Yubico


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Oct 12, 2009 6:09 pm 
Offline

Joined: Fri Jun 19, 2009 6:06 pm
Posts: 31
olov wrote:
A reference implementation for using YubiKey time stamps to improve
security is started. Feedback on the demo server is most welcome. Especially on how the interface is perceived from a user convenience and security perspective.


Hey, Olov,

nice work!

The interface currently does not work with Yubidrone (my G-phone's Yubikey emulation), as I have to switch between 2 apps (Yubidrone and the browser) which currently takes too much time. However, I will (of course) do my very best to circumvent this in some later version of Yubidrone 8-).

A remark: if we were forced to use this method regularly, we would exhaust the key much faster :shock:

Also: this type of 'extra' protection does not help against theft. Indeed, it may even provide a false sense of security; the fact that one has to enter 3 OTP's may look impressive, but if one stole my key, he could simply press the key three times instead of once. I can't underwrite your statement that this is more secure than just pressing the key once, perhaps you'd care to explain this?

Thanks and kind regards,
--
Henk


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 13, 2009 9:59 am 
Offline

Joined: Mon Oct 12, 2009 11:29 am
Posts: 3
Hi Henk,

Thanks a lot for your feedback.

fortean wrote:
The interface currently does not work with Yubidrone (my G-phone's Yubikey emulation), as I have to switch between 2 apps (Yubidrone and the browser) which currently takes too much time. However, I will (of course) do my very best to circumvent this in some later version of Yubidrone 8-).


The allowed timespan between multiple OTPs is set to a value, currently 4 seconds. Maybe that's a bit to tight. I hope to gather some statistics on the demo site in order to come up
with a reasonable default value for this timespan.

fortean wrote:
Also: this type of 'extra' protection does not help against theft. Indeed, it may even provide a false sense of security; the fact that one has to enter 3 OTP's may look impressive, but if one stole my key, he could simply press the key three times instead of once. I can't underwrite your statement that this is more secure than just pressing the key once, perhaps you'd care to explain this?


True. I'll also add an example interface where the OTPs are supplied in the order of the user's pin code. This provides at least some protection for a stolen key as well as added security against eavesdropping since the OTPs will be transmitted in unknown order over Internet.

Best Regards,
Olov


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 16, 2009 2:31 pm 
Offline

Joined: Fri Jun 19, 2009 6:06 pm
Posts: 31
olov wrote:
Hi Henk,

Thanks a lot for your feedback. [...] True. I'll also add an example interface where the OTPs are supplied in the order of the user's pin code. This provides at least some protection for a stolen key as well as added security against eavesdropping since the OTPs will be transmitted in unknown order over Internet.


OTOH, one might argue that now a cracker has 4 OTPs from the same key so in effect it is LESS secure.

If you want to protect users against theft of their keys, simply add a second factor, e.g. a pincode, passphrase, mandatory client side certificate, TAN code etc. etc.


Top
 Profile  
Reply with quote  
PostPosted: Mon Oct 19, 2009 10:10 am 
Offline

Joined: Mon Oct 12, 2009 11:29 am
Posts: 3
fortean wrote:
OTOH, one might argue that now a cracker has 4 OTPs from the same key so in effect it is LESS secure.

Interesting point, from this perspective it might be good to always validate the first
OTP against the validation server before the next OTP is requested. It might though
add some inconvenience for the user who needs to wait for the validation process
before the next OTP can be entered.
fortean wrote:
If you want to protect users against theft of their keys, simply add a second factor, e.g. a pincode, passphrase, mandatory client side certificate, TAN code etc. etc.

Yes, this is certainly an option.

Regards,
/Olov


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group