Questions tagged [hardware-token]

35 questions
65
votes
5 answers

What is a YubiKey and how does it work?

How do YubiKeys work? Are there any alternatives? Here is a picture of one:
20
votes
5 answers

Why do some FIDO security fobs use keyboard emulation mode?

I was troubled from the very beginning by the fact that my U2F security fob acts as a keyboard and theoretically is able to press any key when no one is looking. Sometimes I accidentally touch it and then screen goes mad because of all those…
IlliakaillI
  • 301
  • 2
  • 5
8
votes
5 answers

Hardware token vs Fingerprint based software token

I'm given a choice between two banks's authentication procedures and I need help choosing the most secure and convenient option. Option "hardware token": Authentication into the web platform is done via username/password but transactions are…
Vladimir
  • 613
  • 1
  • 6
  • 7
6
votes
6 answers

When should I issue more than one multi-factor device to a user? Is it OK to give several active tokens vs none at all?

Most of the conventional IT.Sec thinking I've seen says that a user can only have one multi factor authentication device. I'd like to challenge that defacto-thinking and ask if there is ever an occasion where: More than one multifactor device…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
4
votes
0 answers

Security implications of using unfused U2F token

I noticed that both of the Feitian USB/NFC U2F Security Keys I purchased on Amazon a few years ago are unfused. This means that the pre-personalization step was partially performed but not completed in a irreversible way. The devices are otherwise…
darco
  • 205
  • 1
  • 10
4
votes
1 answer

Create certificate without private key or using USB eToken

Considering this thread: Create certificate without private key with OpenSSL I have a very similar situation. I have a USB eToken 5110 JC (Aladdin) which has an inaccessible private key, since it's the main objective. I can use pkcs11-tool --module…
4
votes
1 answer

Is there a benefit to setting up a security key on an account that already has phone-based 2FA?

I'm looking at 2FA options for my Google account, and I noticed they now allow you to add a security key to your account. I'm a bit of a novice to infosec, but I'm struggling to see the benefit for me. My phone already covers the "something you…
user43639
3
votes
1 answer

Why does GPG --recipient only pick one (arbitrary) key for identical names, instead of all of them?

I have a recipient with four hardware keys (HKs) that they use interchangeably. These HKs contain different GPG keys that have all been generated inside and have never left the HKs, thus resulting in four different public keys belonging to the same…
3
votes
2 answers

RSA SecureID - is the serial of the key public?

If I am having an RSA SecureID hardware key, I can see serials/numbers at the back of the SecureID (so not the every-minute changing token)? Is that public information? Or should the serials on the back of an RSA SecureID be held…
niving6473
  • 111
  • 4
3
votes
1 answer

Good practices for protecting a machine certificate against extraction

Consider the following scenario: You are providing VPN access for a number of machines running Windows 10. The machines are configured and hardened according to company standards. You rely on machine certificates for authentication to the VPN…
user149408
  • 347
  • 2
  • 9
3
votes
3 answers

What are dedicated TOTP devices called?

I would like to buy a device that can be provisioned with a secret seed and then displays a time based authentication token without ever revealing the seed. As terms like 2FA, TOTP and Authenticator are almost guaranteed to only show up information…
user88348
3
votes
0 answers

How do security properties of Trezor's FIDO U2F differ from Yubikey?

Aside from being a bitcoin wallet, the Trezor supports FIDO U2F and seems to offer some unique benefits over a Yubikey: The keys are always generated on the device and never rely on the manufacturer supplied secrets. (vs. yubikey issuing the key,…
Jonathan Cross
  • 1,548
  • 1
  • 12
  • 25
3
votes
2 answers

Two Factor Authentication with PIN - Does where/how you enter a PIN matter?

Say I have two websites with 2FA mechanisms that are otherwise identical. Mechanism 1 You have to enter a PIN into your Token Generator in order to retrieve your One Time Password. On the website, you then use your password and the OTP by itself to…
Dan
  • 181
  • 6
2
votes
3 answers

Is a hardware based 2FA more resistant to phishing than SMS or TOTP?

As I understand, modern phishing is kind of like a man-in-the-middle attack. Let's say, for example that User u has an account in Domain d where he has an SMS based 2FA enabled. This is what the phishing mechanism is like: Attacker presents a login…
2
votes
2 answers

use custom 'key' for hardware security token

Using a hardware security token as a second factor is generally considered quite a boost in security. But one of the issues I'm having is how to backup the (digital) keys used in the hardware device (especially in cases when just adding multiple…
n0542344
  • 121
  • 2
1
2 3