1. 31
  1.  

  2. 5

    Making it contactless defeats a whole layer of security and I don’t understand why you’d want that.

    1. 5

      I’m not sure that it does. If you are sitting at the laptop and have the device already, what is the purpose of requiring a touch? In case an attacker has the laptop, the yubikey, but no hands?

      That said, it means anyone with the laptop has access, and this is only for logged in sessions, so I wonder why you would want a lockscreen at all. But as the author notes, they pull the key out when they leave their laptop unattended.

      1. 10

        My primary use of the Yubikey right now is for SSH (and a few sites that support the old Yubi, not U2F).

        So I have ssh-agent. If I didn’t require touch for each event, someone who has compromised my workstation or any server that I am using SSH agent forwarding with could use my key without my knowledge. Even if they get root and steal my agent socket, they can’t use it to move laterally through the network unless they come to my home and touch the key.

        By requiring touch for every action I can guarantee that even though my key is available it simply cannot be used without my consent.

        1. 5

          I agree that for an SSH it makes perfect sense to require the touch for exactly the reason you stated. I’m saying for locking a user’s laptop the touch doesn’t make much different - a lockscreen is intended to stop attackers who have short lived physical access.

          1. 3

            Yes, but as far as I know the “touch” option on a Yubikey is set in the firmware and is global. So if he turns off touch for this purpose, any other use of the key doesn’t require touch either. That’s concerning.

            edit: it looks like this might be available on a per-key/action basis inside the Yubikey? That must be new… but I’d still be concerned if you ever use the challenge response for anything else.

            1. 1

              Ah, sure if it’s a global option and this key is reused for other actions where touch is important, I’m in agreement that this would be a dangerous setting.

        2. 4

          You’d also want to use a password: something you know + something you have. I use a yubkey in static password mode, so that when I touch the button, it spits out the static text. I append that static text to the password I’ve memorized. That way, I gain 2FA in a way that doesn’t require the system to explicitly support the yubikey (for example, no need for the yubikey PAM module).

          1. 2

            I used that same method for a while :)

        3. 3

          It really just turns it into 1-factor authentication again, but with a device that is fairly easy to steal.

          I’m not sure if I’d want to have that as the only factor, but it’s not really “insecure”. More like having the password on a sticky note under the keyboard level of security.

        4. 2

          So it’s basically the SunRay login system?

          1. 2

            Being a lazy son of a gun I keep hoping I’ll see this included as a core feature in Linux distros. Passwords are nearing pointlessness in 2020 and a Yubikey is a much nicer experience all around.

            We use them extensively at work as one factor among several and they’re pretty great.

            1. 4

              I prefer passwords over using some proprietary black box to handle authenticating a local machine for me. The key can be stolen, whereas a memorized password at least gives the user the chance to make a choice about giving it up.

              1. 8

                Don’t like Yubikey? Great. Try an open source one. The FIDO/U2F standard makes them interoperable from my understanding.

                https://solokeys.com/

                1. 4

                  I actually have one of these, but found that it didn’t work all that reliably. Maybe I should dust it off and try again. Will they work with the pam_yubico module?

                  Edit: oof, support for these is very poor in webkit: https://bugs.webkit.org/show_bug.cgi?id=181943

                  1. 2

                    Yeah. Obviously everyone has to figure out what works for them, and I totally respect the idea of wanting to understand every iota of anything that fits into your security model, but if treating something like a Yubikey as an open standards conformant black box is good enough for my cloudy overlords infosec team (And those guys are INCREDIBLY strict, with really good reason) then it’s good enough for me.

                    YMMV and clearly does :) Sorry the solokey doesn’t seem to be a good fit for you. Maybe this is a market opportunity for someone?

                    1. 2

                      Well the problem is that:

                      1. not many services I use support these keys

                      2. the ones that do insist on using chrome (lol) even though it seems that firefox should work fine

                      3. the solokey doesn’t work on my phone (nexus 5x running lineageos), so if I want to login there I’ll have to enable some lesser secure option for login.

                      The only service that supports these things and works with firefox seems to be gitlab, but because of #3 I can’t enable it.

            2. 1

              I’m using a Yubikey in a similar manner to unlock my desktop (also sway!).

              I use udev to notify a daemon running in my user session. This daemon then asks the Yubikey for a challenge-response. So essentially the same minus PAM and not using it to lock.

              I was actually hoping to see NFC being used here, because plugging the thing in is kind of annoying.