Yubikey: One Time Password vs Static Password

Yubikey

I received my Yubikey a few days ago! Very good service from Yubico. Living in Belgium, the key was sent from Sweden (three business days to be delivered, tracking number, safely packed, etc).

For those who never heard the word “Yubikey”, a small introduction. The Yubikey is a very simple USB-key recognized as a standard keyboard once inserted into an USB port (no driver required, if your OS supports USB, it will support the key). Once the green light (a circle) is on, your key is ready! Now press the unique button and a random string of 44 characters will be sent in the text zone where is pointed your cursor (like if you typed the string yourself very quickly). The string contains useful data:

  • Characters 1-12 : the Yubikey ID
  • Characters 13-44 : a one time password (OTP)

Example:

fukfjdhrnhdhdkdkhdkspnehdoskdjrhenpqlejhwne
fukfjdhrnhdhjdnsklezpdkdjruejshdiuelpqzhepp
fukfjdhrnhdhtrjdqpkdjeuziqosdnskqpdbxvdgzuq

This is an OTP (One Time Password). If you combine your login or a password/PIN with a button press on the Yubikey, you are using strong authentication (based on two factors: something you know – your login – and something you have – your Yubikey). That’s very good!

Yubikey provides an on-line validation server (for free) which can be used by your applications or websites to authenticate users. Yubico provides a long list of API ready to be used in your code. If you’re part of a big organization or if you don’t trust Yubico, it’s also possible to deploy your own validation server. In this mode, to validate a user, you need to be online (with at least a network or an Internet connectivity). If you’re interesting in more information about the Yubikey, check out the website.

There is another way to use your Yubikey. It can be reconfigured to provide a static password. To achieve this, Yubico provides a specific tool. In static mode, the Yubikey will always send the same password when the button is pressed. No need for a network connection, the authentication occurs like if you typed a very long and complex password by yourself! This is very convenient to protect low-level services like a Truecrypt boot manager (system encryption) or a WPA Wi-Fi key.

However, the static password mode will give you a false sense of security. Even if we still use a dual-factors authentication (a login/password and a hardware key), the security is greatly reduced by the static password! Here are some examples:
1. If your system is compromised and a key-logger is installed, it will grab your static password and the pseudo complexity will never protect you again!
2. If you use your key to enable low-level security features like boot managers, if you key is stolen, you’re also in big trouble! The configured mode (OTP or static) won’t make the difference, your login is often verytoo easy to discoverguess.

Here are some advices: First,use two Yubikey’s (one left in the default configuration mode and one re-flashed in static password mode) to cover all your authentication mechanisms. Second, whenever possible, combine your static password with a classic password (memorized). Finally, store your Yubikey’s in a safe place or carry always the keys with you (with a lanyard). A key left next to your workstation will reduce the security to zero.

Like any other security feature or device, it must be used in the right way to reach the expected level of protection.

Post Navigation