Jump to content

Yubikey Support For 2 Factor Auth

Syleron

By Syleron
in Feature Requests

 Share

Recommended Posts

Paul Rising Star

Paul

Posted
Posted

Client/Contact 2FA will use the QR code method. We recommend using the Google Authenticator app for Android/IOS. This keeps it simple for clients, it's free TOTP, easy to set up, difficult to get locked out. The 2FA requests a token before it will be saved.

  • 6 months later...
techhelper1 Newbie

techhelper1

Posted
Posted

I still don't see why implementing the "native" Yubikey support is being pushed off. 1 TOTP instance requires a slot in the Yubikey, why would I want to burn up the last slot in my Yubikey for that when I can use Authy in Chrome (which defeats the point of 2FA). Yes I can make myself go get my phone or tablet all the time but I'm lazy. The Yubikey is a simple device that someone *has* and a password is something one *knows*.

 

Now that I recently got the Yubikey NEO, I can program it with a PGP key and use it as a local smartcard for domain use or even make my own hardware based personal SSH key. The reason I bring that up is because that's a more universal purpose reason to use a slot instead of just a single TOTP instance.

 

Before someone brings up the argument saying that it's not secure, if you use LastPass, you're trusting your passwords (and possibly other data) in "the cloud" already.

 

The Yubikey OTP has been around since 2008, it's now 2015. A whole 8 years have passed and it hasn't been breached. Since the Yubikey will not give out it's 128-bit AES key, the only option is to breach the company anyways.

 

See page 16 of this PDF and read on about how the technology works (https://www.grc.com/sn/sn-143.pdf). (It's a transcript of an old Security Now! podcast episode.)

Michael Apprentice

Michael

Posted
Posted

You can only use it with Blesta in TOTP forum. Which defeats the whole purpose of having it.

 

What the hell is the difference if you are using Yubikey, you are using Yubikey. It's not like some-one's going to steal it.

techhelper1 Newbie

techhelper1

Posted
Posted

What the hell is the difference if you are using Yubikey, you are using Yubikey. It's not like some-one's going to steal it.

Oh... so someone isn't going to steal/break/ruin your smartphone or tablet? That's a lot easier to steal versus something that's on a keychain that's on me or within eyesight.

 

The difference is what technology is being used and how efficient it can be used on different platforms.

 

TL;DR If I wanted TOTP support, I would of got it setup but that's not what I'm asking here and no one seems to understand that.

techhelper1 Newbie

techhelper1

Posted
Posted

Like I've said before, Authy (and probably others) can sync TOTP instances across devices (including computers) and not very many people set locks/passcodes on them to prevent access into it. In fact, I can make a 8Mhz 8-bit processor do TOTP, it's not rocket science. Bottom line, the Yubikey OTP is something that's physically needed and you can't get around it.

Michael Apprentice

Michael

Posted
Posted

Oh... so someone isn't going to steal/break/ruin your smartphone or tablet? That's a lot easier to steal versus something that's on a keychain that's on me or within eyesight.

 

The difference is what technology is being used and how efficient it can be used on different platforms.

 

TL;DR If I wanted TOTP support, I would of got it setup but that's not what I'm asking here and no one seems to understand that.

 

https://www.yubico.com/products/yubikey-hardware/

OATH-TOTP requires a helper app, YubiTOTP; NFC is included on the larger, keychain form factor of the YubiKey NEO, however NFC is NOT included on the smaller form factor, the YubiKey NEO-n.

All YubiKey is, is a hardware key, leave it around and anyone can just use it.

techhelper1 Newbie

techhelper1

Posted
Posted

Uhh... the same principle can apply to your phone or tablet if you walk away and I pick it up immediately after, most times the device will not require another unlock since its within the frequent timeframe. From what I remember Google Authenticator has no pin to protect it's TOTP's, Authy does but no one I know uses it or even knows about it.

 

What you don't seem to understand now is that the Yubikey itself is useless since it's the second factor of authentication just like TOTP. You still need the originating password to get the second stage.

With the TOTP configuration, the Yubikey just holds the key that the TOTP will generate off of, the helper app does the actual math and takes the system time to generate the resulting number.

  • 2 weeks later...
Cody Newbie

Cody

Posted
Posted

The PHP API is written in a simple way to implement (https://github.com/Yubico/php-yubico). All it needs is a couple of fields added to the admin/user settings, a couple of columns added in the database and then include the API files itself. It's not rocket science to implement so I still don't see what the problem is.

 

Our position isn't that we don't want to implement Yubikey as a token. In fact, we plan on making some improvements to the authentication system to make it easier to extend (OAuth, LDAP come to mind). But we've got a lot of other things we want to accomplish before we consider this.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...