Secure encryption via USB key


#1

Any users of the now-becoming-popular Yubikey or Nitrokey technologies?

Just being curious.


#2

I use a Trezor has my U2F device, since I needed something to keep my bitcoins secure anyway. For any sites not supporting U2F yet, it offers a handy password manager plugin.


#3

Not really using, but being just as curious :slight_smile: I bought two Yubikeys to play with, one U2F-only and one Yubikey 4 (with all the bells and whistles except near-field comms).

I am planning to use U2F as a second-factor authentication for administrative privileges etc. The reason to have two is so that I don’t get locked out in case one is damaged or lost.

Then I would like to experiment with the Yubikey 4 - it supports a number of challenge-response schemes and has a built-in smartcard plus smart-card reader. So will use pre-existing drivers and other infrastructure. It can even be used to generate key pairs with the private key never leaving the device, so it will be difficult to steal. Of course, without a PIN pad it is still vulnerable to keyloggers, unlike a proper card reader.

(A side note on the NFC-enabled Yubikey Neo, if anyone is considering buying one: At the moment, NFC is only supported on Android. According to Yubico this is because of restrictions in the access model of iOS.)


#4

So, what the Trezor does is display a randomized 3x3 number pad on its screen, and then asks you to enter your PIN on your PC or phone by interacting with an unlabeled 3x3 button grid. Only the Trezor knows which location matches which number, so no key logger will be able to know what PIN you enter. It’s even hard to see for somebody looking over your shoulder.


#5

Neat trick!:slight_smile:


#6

I’ve experimented with Yubikey, but so far havn’t found it very useful. I use a password manager and so Yubikey can be used partially for the master password. If I drop it somewhere then the security of Yubikey doesn’t seem all that great. you can configure it with a PIN, but PINs would take seconds to brute force. If the device can be secured with a longer password then that might be better, but you then get into a chicken and egg situation - a password to access your password to get to your passwords.