Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
... or think that hardware is more secure than software, there is at least one TOTP hardware token available.
For those who don't like phones
Posted Dec 8, 2011 6:24 UTC (Thu) by wahern (subscriber, #37304)
When I create a new shell account on my server I hand one of these out.
I just bought 10 for $99 (holiday special). I think if these were in the $3-$5 range they'd sell much better, but what do I know.
Yubico also sells a tiny USB hardware security module to securely (i.e. irretrievably) store the OTP secrets for authentication. It's pricey but still the cheapest HSM solution by far that I'm aware of. The HSM isn't necessary, of course, but it's an extremely nice option.
Posted Dec 8, 2011 7:02 UTC (Thu) by Cato (subscriber, #7643)
The only issue with Yubikey is that it requires a USB port so there's no way to use it on most smartphones, many of which don't even have a USB port. Same goes for some Internet cafes that don't allow USB devices to be plugged in, and some corporates perhaps. The great thing is that it does work without drivers for any computer that has a USB keyboard interface.
Duo Security might be a better option for desktop and phone use. It is more or less a superset of Google Authenticator, with phone/text callback as well as smartphone apps, but also has the option of a hardware token with display for the random passcode.
Posted Dec 8, 2011 9:49 UTC (Thu) by Yenya (subscriber, #52846)
- central authority: I maintain several servers, and I want to be able to log in even in case the server is half-broken (i.e. DNS or network only partly functional). For an ordinary user, Yubikey is a great technology. For a server admin, not so much.
- multiseat: at home, I have a multiseat workstation, and I have so far not found an easy way how to configure to which head the hot-plugged keyboard (the yubikey module) should be mapped. I have primary keyboards for both seats configured statically in their respective ServerLayout sections in xorg.conf.
Posted Dec 8, 2011 12:30 UTC (Thu) by Cato (subscriber, #7643)
For multiseat, a USB-based login method may not be very suitable as it requires the login process to know more about Yubikey - perhaps a smartphone or traditional token would work better.
Posted Dec 9, 2011 0:49 UTC (Fri) by wahern (subscriber, #37304)
It doesn't matter if the HOTP counters on the servers become out of sync with each other as long as the counter on the key is monotonically increasing. The servers will fast forward until they find a match (within a configurable limit).
Admittedly you open yourself up to replay attacks. But you're hardly in a worse position than with regular passwords. TOTP is better in this regard, but what matters is how much better HOTP is compared to the baseline.
I pine for the day when my Goldkey USB crypto token works out-of-the-box (or my 10 year old Schlumberger crypto card, for that matter), but that day isn't here yet.
Posted Dec 9, 2011 1:01 UTC (Fri) by wahern (subscriber, #37304)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds