1/28/2024 0 Comments Think cell keygen![]() ![]() Yubico products have it though, as do some others, and the phone implementations (iPhone, newer Android) likewise. Convenient and fairly secure (most devices with such a feature expect a PIN, or a fingerprint, or some such factor beyond "something you have" in the form of the authenticator itself).įor SSH, this means the magic file that makes SSH with FIDO work can be regenerated on another client machine by just asking it to spit out the credentials.Ĭhances are your device does not have this feature, usernameless login on the web is rare, so few people need this, and of course it's a considerable extra hardware implementation burden. You rock up to a random PC anywhere in the world, go to, just click "Sign in", and your authenticator is like, "Hi, according to my records I am archi42, user 123456-ACBDE-123 and as proof here's a signature made with my unique private key" and the site checks its database and signs you in. The feature causing this is -O resident which tells the device, "Hey, you need to remember these credentials" (ie they are resident on the device).įor WebAuthn this enables "usernameless" login. We can't go and claim on the one side (when fighting against surveillance, backdoors etc.) that our online identities and presences are extensions of our minds and should be protected, and at the same time make it so extremely easy for people to lose access to them! But our parents? Our siblings? They do not, and companies push them to extremely irresponsible practices nevertheless. We here, who debate on HN, know about the dangers and how to prevent them. Simply because they have not known about the failure modes. The laws of statistics mean that even if something happens only for 0.001% of all users, at the scale of the big tech companies it still hits tens to hundreds of thousands of people, who have no recourse at all and are now completely and forever locked out of their online identity. to push for 2FA as pure gospel, but completely neglect "worst case recovery" scenarios - and then run into stone walls when it inevitably happens, because FB/GOOG/TWTR don't offer any sort of customer support (other than raising threads on HN, and even that is similar to winning the lottery) and Amazon AWS doesn't offer multiple 2FA keys at all. Many people take the advertisements of Facebook, Google, Twitter et al. The post I was replying to was talking about 2FA in general, not just for SSH keys. > If you lose your primary method you have to remember the password to unlock your secondary software ssh key. On the other hand if I have two separate keys with different secrets, I can just remove the lost key from all services and deal with the replacement key later. ![]() Up until point 3 (which my take a while until I get key C, unless I would always have a third key lying around) all accounts are vulnerable. reset key B to use the same secrets as key B then log into every service to add the key C and remove key A/BĤ. setup new secrets for key C and store themģ. My reasoning was that if I have two identical keys A/B and I loose key A, I would have to immediately invalidate key B too - but before I can do that I would need to:Ģ. I considered doing this, but in the end all services that I use allowed to add two keys which seems like the better option. You can copy the same secrets to a different key or store them somewhere safe. You should still revoke your key anyway once your stick is lost - as you should assume it could be found and used, sometimes needing only a touch operation rather than a PIN. > * in some case you could generate the key beforehand on a computer, and then load it on a stick (unsure about yubikeys though). By using both regularly, I'm more likely notice if one key gets broken or lost. The other is a USB-A Yubikey nano, which is always at home in my desktop's monitor USB port so I can reach it very easily. ![]() I carry one USB-C/NFC key on my key chain. I have two Yubikeys, but I don't consider the second one as "spare" that has to be locked away. > As a backup, you either have some kind of spare keys in safe storage or reliable access to someone who can restore your access after having identified you. It kind of goes without saying that losing the key results in you getting locked out - if there was any other way there wouldn't really be much of a point to the complication of making yourself dependent on a stick. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |