olivierm wrote:
But what happens if an attacker manages to get his hands on my keys for long enough to generate a bunch of OTPs?
<<<snip>>>
If I understand correctly, there are three concerns here:
- Somebody gets to your machine while it is unlocked and the Yubikey is inserted. The user generates several OTPs, sends them to himself (email, file copy, whatever), and uses them as soon as possible (before you use another OTP). Nobody sees this happen. They do not have very much time to use the OTPs (an hour or less).
- Somebody gets to your Yubikey while it is left alone. The user connects the Yubikey to their computer, generates several OTPs, and uses them as soon as possible (before you use another OTP). Nobody sees this happen. They do not have very much time to use the OTPs (an hour or less).
- You discover someone playing with your Yubikey (either as part of #1 or #2, or for a different reason). You are not sure if they have generated some OTPs for themselves.
I think the solutions would be different.
For issue #1: On most machines, there is a screen saver which will activate automatically (after some inactivity) or manually (by pressing a button on screen, pressing a special key on the keyboard, or moving the mouse to a specific location). There is
another topic, where is discussed a way (in Linux) for the screen saver to automatically activate when you remove your Yubikey from the USB port, and to display the login window when inserting the Yubikey. I think somebody should work on a Windows add-on that does the same thing.
For issue #2: There are two options:
- If you use software (like Rohos Login) which uses the Yubikey OTP to log in or unlock the screensaver, then as soon as you return to your computer and unlock it (or log in), the "stolen" OTPs are made useless.
- Have a small software program that watches in the background to see if a Yubikey is inserted. Once it is, display a window (or taskbar alert, something unobtrusive) that asks for an OTP. Once an OTP is provided, the window should disappear, and your program should send the OTP to the validation server. You are not actually using the OTP to authenticate to anything, you are just making sure that any "stolen" OTPs are made useless. As a useful feature, warn the user if you get a suspicious error (like an OTP_REPLAYED error).
For issues #1 and #2, if you configure web sites to log you out after a shorter amount of time, this will cause you to use OTPs more often, making any "stolen" OTPs invalid sooner. For example, if you use LastPass Premium (which allows you to use the Yubikey as part of the authentication), if you can configure LastPass to prompt you to log in after unlocking the screensaver, part of the log in process will require an OTP, which will be validated, making any "stolen" OTPs useless!
For issue #3: Yubikey could provide a site (example title: "OTP Check" or "Token Sync") where you provide a OTP. Yubico takes the OTP and checks it against the validation server, instantly making all of the "stolen" OTPs useless.
So, the basic concepts are...
- Keep the Yubikey with you as much as possible.
- If you are separated from the Yubikey, when you return, generate and use an OTP as soon as possible!
Login
FAQ
Search
