# Yubikeys - Using them currently for?



## drmike (Jul 27, 2015)

Decided to take the leap finally and a Yubikey for two factor authentication.  Generic usage with Lastpass.

I think we have a bunch of people here using Yubikeys.   What are the interesting applications I should check out that support Yubikeys (online is fine, local LAN / same PC is even better)?


----------



## gxbfxvar (Jul 27, 2015)

I use Yubikeys, but I don't really use any special (desktop/mobile) applications except Yubico Authenticator for Android (similar to Google Authenticator, but works with Yubikey NEOs).

I have one standard (USB) Yubikey at home, NEO with me in my keychain, and a few backup keys, in case I lose my primary keys. Short press (and NFC) gives me the "normal" changing token and long press gives me a static password, which I use in some setups (for example, laptop FDE password is short "manual" text + yubikey static pw).

In addition to Lastpass, I have Fastmail.fm account configured for Yubikey usage and I have coded a simple diy pastebin app which works (only) with my Yubikeys.

I generally don't use Google services, so I don't have FIDO U2F things used at the moment.


----------



## Licensecart (Jul 27, 2015)

I don't use them I hope to in the future as it's easier than TFA but Google's app and the one time password and the normal password just seems more secure.


----------



## InertiaNetworks-Ryan (Jul 28, 2015)

Licensecart said:


> I don't use them I hope to in the future as it's easier than TFA but Google's app and the one time password and the normal password just seems more secure.



I use it for LastPass, it's my hardware SSH key, it's my U2F device, it's my everything really. I don't like relying on a 6 digit rolling code with a full computer attached to it that may have its own list of problems. There isn't a way to get around having a physical Yubikey device VS. a rolling 6 digit code that can be virtually synced everywhere but also faces the hosts problems where the token lies. That's why I want Blesta folks to implement the Yubico OTP because its a better use of a slot than having to burn a dedicated one or even using Authy/Google Authenticator.


----------



## RLT (Jul 28, 2015)

One thing I've seen with Tapatalk is some of the device updates don't play nice with slightly older server installs.


----------



## InertiaNetworks-Ryan (Jul 28, 2015)

> One thing I've seen with Tapatalk is some of the device updates don't play nice with slightly older server installs.


What does that have to with the OP's topic?


----------



## MannDude (Jul 28, 2015)

> > One thing I've seen with Tapatalk is some of the device updates don't play nice with slightly older server installs.
> 
> 
> What does that have to with the OP's topic?



I think he meant to respond to the thread about Tapatalk.

Regarding the topic at hand, I've got a Yubikey somewhere in a drawer but never use it. It was something I needed to use for a previous job to login to Lastpass. Was really nifty though, I wouldn't mind getting another to be honest.


----------



## InertiaNetworks-Ryan (Jul 28, 2015)

I bought a new yubikey since of the smartcard and u2f capabilties. My old one is still good for lastpass and a static password.


----------



## Hxxx (Jul 28, 2015)

I like how everybody shares how they use their auth methods. Good work! Indeed keep filling the info for strategic attacks. Be wise people. Nobody should know what you do or what not in relation to your  auth methods or alternate methods, much less how you applied them or to what they are functional...


----------



## InertiaNetworks-Ryan (Jul 28, 2015)

Hxxx said:


> I like how everybody shares how they use their auth methods. Good work! Indeed keep filling the info for strategic attacks. Be wise people. Nobody should know what you do or what not in relation to your  auth methods or alternate methods, much less how you applied them or to what they are functional...



Dude, just because you know what factors are used, doesn't mean you'll be able to use it. My Yubikey's keys cannot be read out of the device, once it's written... that's it. I don't even know my private SSH key. Hell I don't even know my first-factor passwords so good luck getting into that too. All I can say is come at me bro. It's very rare I need to use TOTP so it's a backup option for a lot of the things I use.

Also, if your security is through obscurity then you need to rethink your security strategies.


----------



## Hxxx (Jul 28, 2015)

When you are into security, you are discrete. You dont simply call the cookie monster. Yubikey or not nobody should know what your implementation is. We are talking about social and physical strategy to get your Yubi stuff. Just saying. Is not about obscurity is about not disclosing any type of information that might lead to a strategy.

Again, and also nobody cares.


----------



## InertiaNetworks-Ryan (Jul 28, 2015)

Hxxx said:


> Again, and also nobody cares.



Clearly you do dude.

Here's an Yubikey OTP string, cccccceihnvijtjfvrccfbrrtlbgufgiunuickurbkcd.

Here's an TOTP for application X, 972270.

Here's an TOTP for application Y, 699718.

Have at it.


----------



## RLT (Jul 29, 2015)

Sorry cell decided to go back a page on me. I didn't catch it when I posted.


----------



## drmike (Jul 29, 2015)

Security through obscurity has some merits.... but...  As a purist, sure, everything I saw is theory, never did anything   Heck I don't even know what SSH is, in theory 

Speaking of SSH,  anyone know of Yubi-friendly graft on for further keeping SSH secure?


----------



## InertiaNetworks-Ryan (Jul 29, 2015)

Depends on how you want to implement it.

You can install a Yubikey PAM module and just use the OTP natively, but when you have no Internet connectivity it won't work.

You can use some sort of TOTP PAM module and just have the Yubikey generate the TOTP code on the fly and does not require an Internet connection.

Lastly, you can generate a smart card certificate on the Yubikey and then use it as an SSH key. So it works natively to the server you're connecting to and all you have to worry about is getting your local workstation to support OpenSC for the smart card interface.


----------

