6

For what uses would it be smart to get a YubiKey?

user1
  • 441
  • 4
  • 10
Gabriel Fair
  • 1,495
  • 2
  • 13
  • 23

3 Answers3

6

I bought, and enthusiastically use, my yubikey. The way it stores two OTP profiles is particularly useful: with one set of keydata (short-press-the-button) I kept the secrets close, and use it for sudo (and, one day for straight ssh login) access on my colo'ed box. The other (long-press-the-button) I shared with Clavid, who offer an OpenID authentication service which allowed me to properly tighten my whole OpenID authentication loop [1].

As others have pointed out, unlike a number of other hardware-authentication-dongle services, you control your own keying material, and don't have to trust any third party to get things right if you don't want to.

One of the biggest wins with it is being able to use untrusted endpoints to authenticate via the 'key, because the password so disclosed is useless as soon as it's used. The biggest problem with that, however, is that many classically-insecure endpoints (eg cybercafe PCs) disable their USB ports, which can make finding somewhere to plug the Yubikey in quite hard.

On the whole, though, I think they're a big win.

[1] I'm a big fan of OpenID. The thing that originally brought me to server fault, the SE site where I do most of my posting, was its offering OpenID authentication.

MadHatter
  • 1,027
  • 7
  • 10
5

Pros:

  • One authentication rules them all
  • Anyone can use it

Cons:

  • Lose it and you have to reset a whole bunch of passwords if you used it as a single authentication method.
Stephen Ostermiller
  • 483
  • 1
  • 5
  • 13
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
3

Things about Yubikey to consider:

It appears as a keyboard device. (Works almost everywhere they say you can't use Keysticks... there are ways to prevent it on almost all OSs but most places don't lock down Human Interface Devices.)

If someone else gets a hold of it and your password, (and you're using OTP) and they record a few OTPs, they can use that information to connect to a resource up until you use your token again.

It should only be a second factor, never a single factor. (You can't lose your password, but you can lose your keys)

It is (moderately) cryptographically secure, and if you are an organization you can handle the whole cryptosystem without relying on a third party to secure their seeds.

It's a bad idea to rely on it for security by itself. But as an additional factor I like the idea.

Ori
  • 2,757
  • 1
  • 15
  • 29
  • You *can* lose your password. You can forget it, you can forget or lose your password manager data - the key or login to that. – SPRBRN Mar 13 '18 at 15:13