Yubikey research

doughnutdestroyer · 2016-11-30T13:41:31.000Z

Someone just dropped a Yubikey on my desk to play with. Anyone ever do any security research with these?

stables2511 · 2016-11-30T13:53:42.000Z

Which one have you got? I have only ever seen one of the nano type in a visiting clients laptop.

bbigford · 2016-11-30T14:04:40.000Z

They are pretty damn solid.

kyleparrish · 2016-11-30T14:09:06.000Z

I should have the Yubikey 4 this week. I will let you know how it goes!

jameskrusic · 2016-11-30T14:14:56.000Z

I have a yubikey for personal use. I like the feature of having multiple profiles and its ability to be used with multiple 2-factor suites. Personally I am using it with duo security

Neally · 2016-11-30T14:34:30.000Z

Research? No, but I use it for my KeePass :o) It’s been a good sport so far, I had it for about 3 years.

josh-your-it-guy · 2016-11-30T14:42:24.000Z

We deployed them for 2FA and tied them in with AuthLite

They are a cake to deploy and use, especially the Nano’s that fit into the USB port on laptops.

aaronmeredith · 2016-12-01T00:59:11.000Z

They work great. Beware if you use thin clients though, can’t seem to get them to pass through Wyse P45s properly with the latest firmware.

greg-collective-software · 2016-12-01T14:52:21.000Z

Depends what you mean by “research”. For use as a second factor against most common authentication threat models, they are pretty great.

If you mean research in breaking them:

About 6 years ago on a much older YubiKey without a secure element, some researchers conducted a successful side-channel attack. Should be long-since mitigated.

If you have a Chip Whisperer, I’d be interested in whether a power or RF analysis or could extract the AES key. I alas don’t have time to play with that myself.

Lastly, one guy dissolved the plastic injection molded case and poked directly at the internals. Not exactly an “under the radar” attack but fascinating nonetheless.

bensimpson3 · 2016-12-14T21:37:11.000Z

We trialed them then a while ago but ended up going with Duo and their hardware tokens

jasonsampler · 2018-08-01T17:40:34.000Z

I’m starting to play with these myself using them as smart cards for some key accounts. I’m struggling with their support. I am able to make a key and log in to my domain, but can;t figure out how to change the PIN, erase, the thing, etc.

josiahmonks · 2018-10-25T13:42:39.000Z

I’m currently doing some research into the best way to integrate YubiKeys with domain logins.

Doughnut, Did you ever find a good use for them?

jasonsampler · 2018-10-25T14:03:54.000Z

I have been struggling with this for a while. YubiKey support was no help other than basically reading the manual to me, they ended up telling me to format/reinstall the server hosting my CA and start over again. I love the idea and would love to use them but just can’t get an answer on how to make them work.

bryan74 · 2018-11-26T17:53:22.000Z

jsampler, which YubiKey are you using? We’re looking to start using them for 2FA and I’m curious which key you are using.

primus1 · 2019-01-23T08:48:53.000Z

We use it with logonbox to manage passwords as an otp, it fires a 44 characters AES-encrypted string into the login form with a simple touch of the usb.

I know it can also generate FIDO-based public/private key pairs. They adhere to an industry standard called Universal 2nd Factor, the standard hardware-based authentication with public key cryptography which makes them extremely difficult to compromise.