I use the Yubikey Neo as a smartcard + gpg for ssh private key logins[1], U2F with Google[2] accounts, and their OTP for things like LastPass[3].<p>I wrote some patches for KeepassX to use the Yubikey to derive the encryption key (completely offline)[4] but unfortunately the maintainer has zero interest in merging them.<p>[1] <a href="https://www.yubico.com/2012/12/yubikey-neo-openpgp/" rel="nofollow">https://www.yubico.com/2012/12/yubikey-neo-openpgp/</a><p>[2] <a href="http://googleonlinesecurity.blogspot.com/2014/10/strengthening-2-step-verification-with.html" rel="nofollow">http://googleonlinesecurity.blogspot.com/2014/10/strengtheni...</a><p>[3] <a href="https://www.yubico.com/products/services-software/personalization-tools/yubikey-otp/" rel="nofollow">https://www.yubico.com/products/services-software/personaliz...</a><p>[4] <a href="https://github.com/keepassx/keepassx/pull/52" rel="nofollow">https://github.com/keepassx/keepassx/pull/52</a> and <a href="https://news.ycombinator.com/item?id=7801131" rel="nofollow">https://news.ycombinator.com/item?id=7801131</a>
I use a Yubikey for my Google accounts. They did a great job integrating it as a multi-factor auth option. It's a lot easier than punching in numbers from an SMS/Google Authenticator.<p>My Yubikey feels like a natural member of my key ring! I love it.
FYI anyone can integrate yubikey u2f logins on their website. It's easy, try it out:<p><a href="https://developers.yubico.com/U2F/Libraries/List_of_libraries.html" rel="nofollow">https://developers.yubico.com/U2F/Libraries/List_of_librarie...</a>
I bought a YubiKey so I could use it on my laptop with LastPass. Works fine. One day I grabbed my iPad and opened the LastPass app and it hit me... how am I going to authenticate with a YubiKey on an iPad. It took my password and then just worked.<p>I guess I misunderstood. I thought that once I enabled two-factor auth for LastPass, it'd require that no matter what. Nope, just open the iPad app and no two-factor required.
I own a YubiKey Neo. My plan was to use it with KeePass/OATH HOTP (I used it with master password only on my three main devices). Turns out the OtpKeyProv plugin won't work on the OSX version I used before (MyPass Companion, switched to MacPass since because well it's on github). So for now I'm using the non-native Windows version with Mono.<p>Alas synching between different machines isn't easy (counter gets out of synch) and I'm not all that comfortable with keeping the databse in my owncloud.<p>If anyone has a good suggestion for a crossplattform (Xubuntu, OSX, Android), synchable and FLOSS OATH HOTP password storage solution that doesn't rely on 3rd party cloud storage I'm all ears. Not exactly a security expert but I feel that's the setup I want :)
I could fallback to challange/response and that would fix some issues but be less secure.<p>[The Yubikey itself is pretty cool though]
Compared to Google Authenticator app, YubiKey (a) makes hardware-based OTPs as opposed to time-based OTPs (does that offer stronger security?) and (b) can be used as smart card in GnuPG solutions.<p>It being a separate piece of plastic might arguably be another advantage, if we assume that most people are more likely to lose their phone than their keyring.<p>It’s interesting: apparently[0], YubiKey is Google’s initiative and the company itself uses YubiKeys internally.<p>[0] <a href="http://www.forbes.com/sites/amadoudiallo/2013/11/30/google-wants-to-make-your-passwords-obsolete/" rel="nofollow">http://www.forbes.com/sites/amadoudiallo/2013/11/30/google-w...</a>
<a href="https://xkcd.com/538/" rel="nofollow">https://xkcd.com/538/</a><p>I use too the Yubikey Neo as a smartcard, but not with the GPG applet, rather with the PIV applet. As such, to connect to my most secure servers, my Yubico is mandatory and as such it's just impossible to bruteforce your way in.
I use the GPG applet ...well...for GPG.<p>However, I'm still looking for a cheap way to do fingerprint (rather than typing your PIN) authentication.
Does anybody have heard of a fingerprint token which works with Linux AND Mac OS X ? Or is it possible to have a fingerprint reeader as some sort of proxy ?<p>Second question, I wanted to use the Yubico NEO as a smartcard token with a TrueCrypt fork, but the Truecrypt source code has really specific requirements for the object they can store on a smartcard (buggy requirements if you ask me) and as such it's not possible to use the Yubico as a physical decryption key for encrypted volume.
Does anybody have a suggestion for an other working solution ?
Just got some of these to secure ssh login to our infrastructure. Work great but be prepared for a bit of a hassle especially if you've never used anything like a smart card before. Finding simple answers to how to use as an rsa smart card device for ssh took a few hours and getting it into the right mode took some obscure commands.
This looks interesting, but I don't totally understand how it works. How is the key changed every time on the server? It looks like it requires server side support.