FH news Two factor authentication

Deebs

Chief Arsewipe
Staff member
Moderator
FH Subscriber
Joined
Dec 11, 1997
Messages
9,077,349
Today Freddy has just installed the FreddysHouse Tools : Yubico Authentication addon for XenForo courtesy of SheepCow. What does it do?

It implements two-factor authentication using a YubiKey. In simplest terms any YubiKey enabled account now requires the following to successfully login:
  • Username
  • Password
  • Physical yubikey associated with the username above
Why? Well FH is extremely security conscious and in today's increasing number of cyber attacks will do anything to increase the security of anyone who stores information on our systems.

More information on Yubikeys can be found here: http://www.yubico.com. At this point testing is limited to administrators but if anyone already has a YubiKey then please let us know.
 

Deebs

Chief Arsewipe
Staff member
Moderator
FH Subscriber
Joined
Dec 11, 1997
Messages
9,077,349
Yubikey authentication is now enabled for all registered users. Details in the first post.
 

rynnor

Rockhound
Moderator
Joined
Dec 26, 2003
Messages
9,353
Interesting - its a bit vague on their site - is it a cheap RSA token?
 

Zenith.UK

Part of the furniture
Joined
Dec 20, 2008
Messages
2,913
It's the old security adage:
Something you know and something you have.
A password you know, a physical object you have.
 

Zenith.UK

Part of the furniture
Joined
Dec 20, 2008
Messages
2,913
Also I was considering getting one of these to go with Lastpass.
If it seems that there's more than one use for a single key, I'll consider getting one.
 

Deebs

Chief Arsewipe
Staff member
Moderator
FH Subscriber
Joined
Dec 11, 1997
Messages
9,077,349
It is a One Time Password (OTP) generator. Yubikey presents itself as a USB keyboard into whatever you plug it into (no drivers required). There are two modes of operation, the OTP and the ability to store a random 56 char (I think) password. Touch it for a second and it generates a OTP, touch it for more than 2 seconds and it outputs the stored password. There is no storage capacity on the key apart from your password and the firmware is stored in ROM so it cannot be tampered with. OTP cannot be replayed and are timestamped as well. It is a very well thought out system.

Basically if you associate one here on FH then we store the public identity of the YubiKey against your account (if doesn't matter if it gets out in the wild as it is just an identifier). Then when you use the OTP we capture that and send it off to the YubiKey Cloud Service to ask for validation, we get returned a yes, no, revoked status. If we get a yes and your password is correct we allow the login to continue.

I have 2 of them, one permanently at home, the other I carry with me. My LastPass account has been upgraded to premium and requires both my password and YubiKey to access, the forums require the same.
 

Deebs

Chief Arsewipe
Staff member
Moderator
FH Subscriber
Joined
Dec 11, 1997
Messages
9,077,349
Would that put off the determined?
No.
But it would stop casual/keylogs/blah 99% of the random ways to get your account fucked.

Actually it all depends. It would certainly stop any form of online attack against a webservice of any sort as without the physical key you would always be told no (even if you correctly guessed the password and thus could never verify that).

Would it stop an offline attack? No as they would already have the hash. The point of the second mode is that it makes it extremely easy to make a password impossible to crack consisting of just 1 char :)

eg.

My password is 1dvgkjh54ncvoij45n6lfkdvbnoidn645lkxcvjglejntertfsdpogvuj

All I have to remember is the digit 1. Why? When I come to enter my password into a form I simply press the number 1 on the keyboard and touch the YubiKey for 2 seconds. It types after my 1 the string "dvgkjh54ncvoij45n6lfkdvbnoidn645lkxcvjglejntertfsdpogvuj". As long as I have my YubiKey that is :)
 

Nate

FH is my second home
Joined
Mar 13, 2004
Messages
7,454
I always thought these things linked to the internets somehow and put in a unique code for that login. The truth is they just put in the password for you?
 

Deebs

Chief Arsewipe
Staff member
Moderator
FH Subscriber
Joined
Dec 11, 1997
Messages
9,077,349
I always thought these things linked to the internets somehow and put in a unique code for that login. The truth is they just put in the password for you?
Go read up on two factor auth....
 

Nate

FH is my second home
Joined
Mar 13, 2004
Messages
7,454
But that's cool deebs, although as a user I don't think I have much to worry about the info I put up on here or someone getting access to this account. Good for admins though for sure :)

If I did have one can I use it for other places? Like my steam account or I noticed SW:ToR has a Security Key.
 

rynnor

Rockhound
Moderator
Joined
Dec 26, 2003
Messages
9,353
Sweet - it worked - I associated the yubikey logged off and after user/password it prompted me for the yubikey code and logged me on.
 

Deebs

Chief Arsewipe
Staff member
Moderator
FH Subscriber
Joined
Dec 11, 1997
Messages
9,077,349
Sweet - it worked - I associated the yubikey logged off and after user/password it prompted me for the yubikey code and logged me on.
Fantastic news :)
 

rynnor

Rockhound
Moderator
Joined
Dec 26, 2003
Messages
9,353
Ye-es - but it doesnt force me to use it unless I formally logout/login. I can still get in without it using presumably the cookie?

I have the 'use ubikey' box ticked - any ideas?
 

Deebs

Chief Arsewipe
Staff member
Moderator
FH Subscriber
Joined
Dec 11, 1997
Messages
9,077,349
Ye-es - but it doesnt force me to use it unless I formally logout/login. I can still get in without it using presumably the cookie?

I have the 'use ubikey' box ticked - any ideas?
The cookie has a 15 or 30 min expiry on it. If you logout the cookie is cleared, if you close the window it is not.
 

Users who are viewing this thread

Top Bottom