Yubico Forum

Sorry couldnt fit whole question in title.

1. Are the only reasons yubikey button press not recommended for Yubikey windows LogOn are that you can make a second backup key to use and if you lose the single yubikey then you will not be able to log on and getting a replacement / getting into your computer will be nigh on impossible?
2. Obviously my thinking depends on the answer to the first but the LogOn pdf states its possible to protect your configuration (and thus duplication),etc by an access code which you write down-fairly certain the answers going to be no(multi slots required) but as i have 2 seperate keys, might it be possible to use the 2nd's to protect the 1st's config by button press?
3. Supposing i wanted the most secure, safe access on my system and was willing to risk loss of key, would button press access be the better option and could the key be duplicated?? Am i totally overhyping the benefit's of button press- have i got it wrong and its just an easier written passcode facility and even though its random can still be copied if your key is cloned?
4. Can Windows LogOn with yubikey be bypassed by logging on in safe mode?
5. I don't really expect an answer to this as it's not yubikey related but as you're in the industry whereas im not and have oodles of juicy technical knowhow, is there a good logging facility that records times of windows access and usage of your pc (undeleteable/uneditable-im thinking cloud or distant server))?

............. And lol NO i dont have the UK missile defence plans on my pc. However i do think physical access to all my possessions err is not as safe and secure as it should be.
..............ps Yubikey is brilliant. Lastpass, paypal, ebay, windows logon...simply amazing

Hello,

You question was somewhat a bit confusing i hope i got it right


1) The reason why you should not use the button when emitting the challenge-response is that it is extremely hard to get it right with timing. Users just came back and say " it doesn't work "

Theoretically, pushing the button requires user's presence. On the other hand, you're supposed to take the Yubikey with you if you are not at the PC. Thus, for logon you should not worry about that.

2) The Windows logon tool, has an option to enable it in SAFE MODE. By default is disabled in case inexperienced users lock them self out of the system.

3) Yubikeys cannot be duplicated. (Even with the state of the art of hardware side channels attack is extremely hard) What you can do is to back up your Yubikey ( which is VERY GOOD idea ).

Configure your first Yubikey, press write. Remove the Yubikey insert the second Yubikey press write again, that's it!

4) For monitor windows logon you want to look at something like this http://www.howtogeek.com/124313/how-to- ... -and-when/ maybe

Hope this helps.

_________________
-Tom

ok, i must apologise if my questions are confusing. I've reread them and can't understand what is confusing, which worries me as i obviously don't understand something to the extent that it doesn't make sense. Can you say what is confusing so i can try and resolve what i don't understand or have misread or misassumed.

0. question above?
1. if the web works with button press , why does the windows logon require exact timing? if its that internet functionality doesnt use challenge response fine. a)i take it that because its not advised ,it means it is still possible and if that's the case, how would i set my yubikey up for win logon by button press? b) you say errors lie in the timing of response, what is the technique for the timing?
2. safe mode- that's brilliant so it is not get roundable just by booting up in safe mode (if option enabled). thanks
3. ok. the key cannot be duplicated but can be backed up. my view is the 2 things are very similar with the end result. a) i suppose when i logon somewhere be it winlogon or internet such as lastpass, key which did it is noted? what i am saying is, does the software the key is used with recognise the backup key as a different key or is it seen as identical or the same key for all intensive purposes? b) i think i know where u are/ will come from in that i need my pc (which people living in new embezzlingham, thieftown dont have) to backup my yubikey but lets assume i have roommates for example, if i wanted my key to be the only key with its configuration in existence, is this possible and how? c) i am assuming its not possible to use one totally unrelated key to protect another's configuration and vice versa as there was no answer.
4. vmt for the link. unfortunately i have struck out. am using 7-64 home premium which doesnt have the local group policy editter so cannot even get past the 'first, open the' statement. however the link's page at the end does mention using the task scheduler for a similar function so will look at that if there are no other commercial alternatives. thanks.

thanks for the answers and taking the time out to answer. i realise my questions are not always succinct so must apologise.
(call it overdoing it but i am trying to make my yubikeys the most secure things i can think possible and to do that i am even trying to take myself out of the equation-thinking duress or talking in sleep.)

The challenge-response mode works off-line you do not need an internet connection. Thus no button is required since you do not need to provide an OTP to the YubiCloud. With the "require user input" option on, in challenge response mode you will not be able to press at the right time when the software request the response after sending the challenge to the Yubikey.

Regarding duplicating the Yubikey as i said, it is not feasible. If you are so paranoid after programming the Yubikey, shutdown your computer and remove power/battery for 1 hour. Do not put your computer in a freezer during this hour. This will wipe out potential data that may be left in your computer RAM.

All Yubikeys are unique. The configuration in different Yubikey can be the same and this can be achieved by programming the same challenge-response secret in different Yubikey. Once you close the personalization tool that secret is lost (unless you wrote it on a Post-It and stuck it on your monitor)

_________________
-Tom

wow, nice jibe thrown in amongst constructive comments. as a customer (twice), what can i say except thanks.
so paranoia is evident if someone states other people may have access to their computer (true) firstly or throws in a hypothetical (bracketed comment at the very end) to see if there is a solution? i do not think it is unreasonable to wish my yubikey is the only yubikey configured such in existence and if it isnt then id like it documented there are others- isnt that what good security is about?

i numbered the items to your response, even started with a zero so comparison with your answer easier so i presumed you would return likewise.....(it makes answers much easier to reference , compare and questions not so easily ignore). if you answer my numbered thread because ive posted this please add a number (5.) for the 'think it is unreasonable' comment this post.

thanks.

btw my yubikey vip (paypal) may have stopped working on the site. i tried logging in and the 6 digit was requested and the yubikey did provide 6 numbers but paypal refused login.
6. might this be because i deleted my cookies on pc or is something else likely? i had to skip the yubikey verification option but do not want to delete the config and redo without your answer. (no i dont normally delete them but a pass elsewhere which should work wasnt disappearing and i couldnt locate site address in cookie list in my browser so deleted all) -still works here which is why i question why its stopped working on paypal.

my aim is not to trip you up or be rude. apologies if it seems so. your answer given in your last paragraph kind of explains why i numbered and asked specific questions hoping for answers to each specific question. 'all yubikeys are unique. the configuration in different yubikey can be the same.......'

I try to configure Windows LogON. If PC is member of workgroup all work fine, but after i added PC to domain, in logon configuration software i can see all domain users, i enable yubikey authentication for domain users, but second way not work. User can login to domain PC without yubikey and i don't see message about yubikey authentication below password field.