Yubico Forum
https://forum.yubico.com/

[QUESTION] Procedure to access Win 8 when Yubikey is lost
https://forum.yubico.com/viewtopic.php?f=23&t=1251
Page 1 of 1

Author:  yomo768 [ Fri Dec 06, 2013 6:13 am ]
Post subject:  [QUESTION] Procedure to access Win 8 when Yubikey is lost

I have Windows 8 challenge response integrated with the Yubikey and would like to know what to do if the Yubikey is lost in terms of accessing Windows 8. Should a separate administrator account be created without the Yubikey integration? Or is there a better way without creating an additional account?

Author:  Tom [ Fri Dec 06, 2013 8:34 am ]
Post subject:  Re: [QUESTION] Procedure to access Win 8 when Yubikey is los

You can create a backup of your Yubikey on a second Yubikey.

If you have 2 "admin" account one with Two Factor Authentication and one without, you are basically voiding any benefit.

Author:  yomo768 [ Fri Dec 06, 2013 5:57 pm ]
Post subject:  Re: [QUESTION] Procedure to access Win 8 when Yubikey is los

Tom wrote:
You can create a backup of your Yubikey on a second Yubikey.

I only have 1 Yubikey so that's not possible.

Tom wrote:
If you have 2 "admin" account one with Two Factor Authentication and one without, you are basically voiding any benefit.

However, my day-to-day account contains a shorter password, which, combined with the Yubikey makes it more secure. My recovery admin account password would contain for example, 100 characters so that should be a good compromise, right?

Author:  Tom [ Sat Dec 07, 2013 12:55 pm ]
Post subject:  Re: [QUESTION] Procedure to access Win 8 when Yubikey is los

No.

The strength resides in the fact that you have something you "know" the password and something you have "the Yubikey"

Password can easily be stolen, cracked or snooped from a remote attacker around the world, while the Yubikey it is with you and can potentially only be "stolen" by the very few people around you.

Moreover, the Yubikey secrets cannot remotely stolen.

A 100 characters password will not give you anything more then a 20 characters password (practically not theoretically). They are both to long to be guessed (but steal be be stolen/lost/cracked)

You can always enable the "safe mode" in the logon tool. This will allow you to reboot your machine in safe mode and login without the Yubikey.

Author:  yomo768 [ Sun Dec 08, 2013 8:09 am ]
Post subject:  Re: [QUESTION] Procedure to access Win 8 when Yubikey is los

Tom wrote:
Password can easily be stolen, cracked or snooped from a remote attacker around the world, while the Yubikey it is with you and can potentially only be "stolen" by the very few people around you.

Moreover, the Yubikey secrets cannot remotely stolen.


So there are 2 types of attacks that need to be considered, local and remote.

Tom wrote:
A 100 characters password will not give you anything more then a 20 characters password (practically not theoretically). They are both to long to be guessed (but steal be be stolen/lost/cracked)


In terms of Windows logon I imagine one would need to have RDP enabled for a remote attack to happen against one's Windows account. As far as getting the password, although a long password would protect against a stolen SAM file with the hashed passwords, it would not protect against a keystroke logger which is what you imply when you wrote that it could be stolen regardless of length, right?

Tom wrote:
You can always enable the "safe mode" in the logon tool. This will allow you to reboot your machine in safe mode and login without the Yubikey.

So enabling 'safe mode' in the logon tool, (which is the default), would not protect against local attacks, but would still protect against remote attacks since a remote attacker would not be able to physically reboot the machine in safe mode, right?

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/