Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 6:53 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Fri Dec 06, 2013 6:13 am 
Offline

Joined: Fri Dec 06, 2013 6:05 am
Posts: 4
I have Windows 8 challenge response integrated with the Yubikey and would like to know what to do if the Yubikey is lost in terms of accessing Windows 8. Should a separate administrator account be created without the Yubikey integration? Or is there a better way without creating an additional account?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Dec 06, 2013 8:34 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
You can create a backup of your Yubikey on a second Yubikey.

If you have 2 "admin" account one with Two Factor Authentication and one without, you are basically voiding any benefit.

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Fri Dec 06, 2013 5:57 pm 
Offline

Joined: Fri Dec 06, 2013 6:05 am
Posts: 4
Tom wrote:
You can create a backup of your Yubikey on a second Yubikey.

I only have 1 Yubikey so that's not possible.

Tom wrote:
If you have 2 "admin" account one with Two Factor Authentication and one without, you are basically voiding any benefit.

However, my day-to-day account contains a shorter password, which, combined with the Yubikey makes it more secure. My recovery admin account password would contain for example, 100 characters so that should be a good compromise, right?


Top
 Profile  
Reply with quote  
PostPosted: Sat Dec 07, 2013 12:55 pm 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
No.

The strength resides in the fact that you have something you "know" the password and something you have "the Yubikey"

Password can easily be stolen, cracked or snooped from a remote attacker around the world, while the Yubikey it is with you and can potentially only be "stolen" by the very few people around you.

Moreover, the Yubikey secrets cannot remotely stolen.

A 100 characters password will not give you anything more then a 20 characters password (practically not theoretically). They are both to long to be guessed (but steal be be stolen/lost/cracked)

You can always enable the "safe mode" in the logon tool. This will allow you to reboot your machine in safe mode and login without the Yubikey.

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Sun Dec 08, 2013 8:09 am 
Offline

Joined: Fri Dec 06, 2013 6:05 am
Posts: 4
Tom wrote:
Password can easily be stolen, cracked or snooped from a remote attacker around the world, while the Yubikey it is with you and can potentially only be "stolen" by the very few people around you.

Moreover, the Yubikey secrets cannot remotely stolen.


So there are 2 types of attacks that need to be considered, local and remote.

Tom wrote:
A 100 characters password will not give you anything more then a 20 characters password (practically not theoretically). They are both to long to be guessed (but steal be be stolen/lost/cracked)


In terms of Windows logon I imagine one would need to have RDP enabled for a remote attack to happen against one's Windows account. As far as getting the password, although a long password would protect against a stolen SAM file with the hashed passwords, it would not protect against a keystroke logger which is what you imply when you wrote that it could be stolen regardless of length, right?

Tom wrote:
You can always enable the "safe mode" in the logon tool. This will allow you to reboot your machine in safe mode and login without the Yubikey.

So enabling 'safe mode' in the logon tool, (which is the default), would not protect against local attacks, but would still protect against remote attacks since a remote attacker would not be able to physically reboot the machine in safe mode, right?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group