FH news Two factor authentication

[Deebs]

Today Freddy has just installed the FreddysHouse Tools : Yubico Authentication addon for XenForo courtesy of SheepCow. What does it do?

It implements two-factor authentication using a YubiKey. In simplest terms any YubiKey enabled account now requires the following to successfully login:

• Username
• Password
• Physical yubikey associated with the username above

Why? Well FH is extremely security conscious and in today's increasing number of cyber attacks will do anything to increase the security of anyone who stores information on our systems.

More information on Yubikeys can be found here: http://www.yubico.com. At this point testing is limited to administrators but if anyone already has a YubiKey then please let us know.

 

[Will]

Are the admins getting a Yubikey for xmas?

 

[Deebs]

Yubikey authentication is now enabled for all registered users. Details in the first post.

 

[rynnor]

Interesting - its a bit vague on their site - is it a cheap RSA token?

 

[ECA]

Interesting - its a bit vague on their site - is it a cheap RSA token?

No, it's 128bit AES.

Basically a cheapo security token.

 

[rynnor]

Would that put off the determined?

 

[Zenith.UK]

It's the old security adage:
Something you know and something you have.
A password you know, a physical object you have.

 

[ECA]

Would that put off the determined?

No.
But it would stop casual/keylogs/blah 99% of the random ways to get your account fucked.

 

[Zenith.UK]

Also I was considering getting one of these to go with Lastpass.
If it seems that there's more than one use for a single key, I'll consider getting one.

 

[Deebs]

It is a One Time Password (OTP) generator. Yubikey presents itself as a USB keyboard into whatever you plug it into (no drivers required). There are two modes of operation, the OTP and the ability to store a random 56 char (I think) password. Touch it for a second and it generates a OTP, touch it for more than 2 seconds and it outputs the stored password. There is no storage capacity on the key apart from your password and the firmware is stored in ROM so it cannot be tampered with. OTP cannot be replayed and are timestamped as well. It is a very well thought out system.

Basically if you associate one here on FH then we store the public identity of the YubiKey against your account (if doesn't matter if it gets out in the wild as it is just an identifier). Then when you use the OTP we capture that and send it off to the YubiKey Cloud Service to ask for validation, we get returned a yes, no, revoked status. If we get a yes and your password is correct we allow the login to continue.

I have 2 of them, one permanently at home, the other I carry with me. My LastPass account has been upgraded to premium and requires both my password and YubiKey to access, the forums require the same.

 

[Deebs]

Would that put off the determined?

No.
But it would stop casual/keylogs/blah 99% of the random ways to get your account fucked.

Actually it all depends. It would certainly stop any form of online attack against a webservice of any sort as without the physical key you would always be told no (even if you correctly guessed the password and thus could never verify that).

Would it stop an offline attack? No as they would already have the hash. The point of the second mode is that it makes it extremely easy to make a password impossible to crack consisting of just 1 char

eg.

My password is 1dvgkjh54ncvoij45n6lfkdvbnoidn645lkxcvjglejntertfsdpogvuj

All I have to remember is the digit 1. Why? When I come to enter my password into a form I simply press the number 1 on the keyboard and touch the YubiKey for 2 seconds. It types after my 1 the string "dvgkjh54ncvoij45n6lfkdvbnoidn645lkxcvjglejntertfsdpogvuj". As long as I have my YubiKey that is

 

[rynnor]

Cool - I'm getting one then!

 

[Deebs]

Cool - I'm getting one then!

Awesome thing to have. I use mine around 10-20 times a day.

 

[Nate]

I always thought these things linked to the internets somehow and put in a unique code for that login. The truth is they just put in the password for you?

 

[Deebs]

I always thought these things linked to the internets somehow and put in a unique code for that login. The truth is they just put in the password for you?

Go read up on two factor auth....

 

[Nate]

Read the 11th post before the 10th

 

[Nate]

But that's cool deebs, although as a user I don't think I have much to worry about the info I put up on here or someone getting access to this account. Good for admins though for sure

If I did have one can I use it for other places? Like my steam account or I noticed SW:ToR has a Security Key.

 

[rynnor]

Sweet - it worked - I associated the yubikey logged off and after user/password it prompted me for the yubikey code and logged me on.

 

[Deebs]

Sweet - it worked - I associated the yubikey logged off and after user/password it prompted me for the yubikey code and logged me on.

Fantastic news

 

[rynnor]

Ye-es - but it doesnt force me to use it unless I formally logout/login. I can still get in without it using presumably the cookie?

I have the 'use ubikey' box ticked - any ideas?

 

[Deebs]

Ye-es - but it doesnt force me to use it unless I formally logout/login. I can still get in without it using presumably the cookie?

I have the 'use ubikey' box ticked - any ideas?

The cookie has a 15 or 30 min expiry on it. If you logout the cookie is cleared, if you close the window it is not.