Yubikey: One Time Password vs Static Password

Yubikey

I received my Yubikey a few days ago! Very good service from Yubico. Living in Belgium, the key was sent from Sweden (three business days to be delivered, tracking number, safely packed, etc).

For those who never heard the word “Yubikey”, a small introduction. The Yubikey is a very simple USB-key recognized as a standard keyboard once inserted into an USB port (no driver required, if your OS supports USB, it will support the key). Once the green light (a circle) is on, your key is ready! Now press the unique button and a random string of 44 characters will be sent in the text zone where is pointed your cursor (like if you typed the string yourself very quickly). The string contains useful data:

  • Characters 1-12 : the Yubikey ID
  • Characters 13-44 : a one time password (OTP)

Example:

fukfjdhrnhdhdkdkhdkspnehdoskdjrhenpqlejhwne
fukfjdhrnhdhjdnsklezpdkdjruejshdiuelpqzhepp
fukfjdhrnhdhtrjdqpkdjeuziqosdnskqpdbxvdgzuq

This is an OTP (One Time Password). If you combine your login or a password/PIN with a button press on the Yubikey, you are using strong authentication (based on two factors: something you know – your login – and something you have – your Yubikey). That’s very good!

Yubikey provides an on-line validation server (for free) which can be used by your applications or websites to authenticate users. Yubico provides a long list of API ready to be used in your code. If you’re part of a big organization or if you don’t trust Yubico, it’s also possible to deploy your own validation server. In this mode, to validate a user, you need to be online (with at least a network or an Internet connectivity). If you’re interesting in more information about the Yubikey, check out the website.

There is another way to use your Yubikey. It can be reconfigured to provide a static password. To achieve this, Yubico provides a specific tool. In static mode, the Yubikey will always send the same password when the button is pressed. No need for a network connection, the authentication occurs like if you typed a very long and complex password by yourself! This is very convenient to protect low-level services like a Truecrypt boot manager (system encryption) or a WPA Wi-Fi key.

However, the static password mode will give you a false sense of security. Even if we still use a dual-factors authentication (a login/password and a hardware key), the security is greatly reduced by the static password! Here are some examples:
1. If your system is compromised and a key-logger is installed, it will grab your static password and the pseudo complexity will never protect you again!
2. If you use your key to enable low-level security features like boot managers, if you key is stolen, you’re also in big trouble! The configured mode (OTP or static) won’t make the difference, your login is often verytoo easy to discoverguess.

Here are some advices: First,use two Yubikey’s (one left in the default configuration mode and one re-flashed in static password mode) to cover all your authentication mechanisms. Second, whenever possible, combine your static password with a classic password (memorized). Finally, store your Yubikey’s in a safe place or carry always the keys with you (with a lanyard). A key left next to your workstation will reduce the security to zero.

Like any other security feature or device, it must be used in the right way to reach the expected level of protection.

4 comments

  1. It doesn’t have to be a choice of one or the other – the most secure way to use 2fa authentication is to ensure that the additional factor provides additional security to what is already in place. Typically this would mean adding to the existing username and password, so to be most effective the second factor should be of a different type (e.g. either of the “something you have” type, or perhaps a biometric.

  2. Some corrections, sorry.

    Where it reads:

    “I.e., password = pin+”, it should read “I.e., password = pin+yubikey’s static password”.

    “gmail password could be mymail|”, it sould read “gmail password could be mymail|yubikey’s static password”

  3. Hello,

    A simple, yet effective, method for “protecting” the static password in the Yubikey is to divide it in two parts. For instance, the actual password can be the concatenation of a relatively simple PIN/password that only you know with the output from the Yubikey. I.e., password = pin+. Also, one can vary the memorized part of the password to login into different services, e.g., a gmail password could be mymail|. But a password manager is preferred, of course 🙂

    With this method, even if the Yubikey is stolen, an attacker must always brute force one-half of the password, making the attack considerably more challenging; especially if the validation server/daemon employs password throttling.

    It won’t defeat the key logger scenario, but one should never use static passwords on untrusted systems anyway. Moreover, if your own system is already compromised, you have bigger issues to worry about, because even OTPs/smart cards are vulnerable to active attacks.

    JP

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.