Hacker News new | past | comments | ask | show | jobs | submit login

This reminds me to RSA SecurID:

"In a 21 March 2011 email to customers, RSA essentially admitted that the information stolen from their internal network could allow an attacker to compromise a SecurID-protected system without having physical possession of the token."

http://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_c...

So passwords are a bad idea, but I'm not sure if I want to replace a problem with a different one.




This is actually why two factor authentication is great. In this instance, users were still protected (at the least) by their PIN.

This is somewhat equivalent to losing your ssh private key. Yes, it's bad, but your passphrase should ("should" -- at least it's not an immediate breach like losing a password or clear text private key) buy you enough time to revoke and replace the key.


Exactly. Until we can come up with a better system the rule of thumb is:

1) Know something

2) Have something

Its somewhat easy for a potential cracker to gain access to either one of the two, but extremely difficult to have both.

Hell, when I used SecurID at one of my first jobs you had a PIN to go with the token number, almost like a salt to your password. Even if they had the key they wouldn't be able to access my accounts.


Yubikey's are different in that there isn't (well, doesn't have to be) a centralized location where management of the keys is handled. Yubico offer a solution where you can authenticate/issue/revoke keys from within your own infrastructure[1]. So long as you keep that secure (say with HSM) you should be OK.

[1]http://www.yubico.com/products/services-software/validation-...


I haven't checked YibiKey myself, but it is been supported by Fedora for some time now: https://fedoraproject.org/wiki/Using_Yubikeys_with_Fedora

According to Fedora wiki they're used to create OTPs (one time passwords), but still... I don't like the idea of a physical token that can be stolen and used without verifying the user (meaning that you still need user/password or any other auth mechanisms to complement the Yubikey).


Yeah you will still need username/pass for google I'm sure. Although they mentioned something about a ring? NFC maybe?

If you run your own server, though, you can set up challenge-response on the Yubikey which might make things easier by allowing maybe a PIN instead of a password.

Hopefully one day soon we will be able to authenticate with behavior; maybe a combination of gate/speech cadence/facial structure. Or maybe like a Rorschach test instead of username/password field :)


This isn't replacing passwords, it's to be used with your password; 2-step authentication.


If it isn't based on a shared secret, but on public crypto, then it wouldn't suffer from this kind of vulnerabilities.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: