User: Password:
Subscribe / Log in / New account

For those who don't like phones

For those who don't like phones

Posted Dec 8, 2011 4:19 UTC (Thu) by PlaguedByPenguins (subscriber, #3577)
Parent article: Google Authenticator for multi-factor authentication

... or think that hardware is more secure than software, there is at least one TOTP hardware token available.

(Log in to post comments)

For those who don't like phones

Posted Dec 8, 2011 6:24 UTC (Thu) by wahern (subscriber, #37304) [Link]

I'll vouch for the Yubikey HOTP system: Yubikeys are quite slick. They're much faster than even typing in a short TOTP string, yet still don't require any client software. They pose as a USB keyboard. When you press the button the next OTP is printed along with a line feed. Works for SSH, HTML web forms, etc.

When I create a new shell account on my server I hand one of these out.

I just bought 10 for $99 (holiday special). I think if these were in the $3-$5 range they'd sell much better, but what do I know.

Yubico also sells a tiny USB hardware security module to securely (i.e. irretrievably) store the OTP secrets for authentication. It's pricey but still the cheapest HSM solution by far that I'm aware of. The HSM isn't necessary, of course, but it's an extremely nice option.

For those who don't like phones

Posted Dec 8, 2011 7:02 UTC (Thu) by Cato (subscriber, #7643) [Link]

I use Yubikey as well - currently with LastPass, a password manager that works on Linux, Mac, Windows, iPhone, Android, etc. More applications (web and other) need to support two-factor - currently Fastmail is an email service that supports Yubikey.

The only issue with Yubikey is that it requires a USB port so there's no way to use it on most smartphones, many of which don't even have a USB port. Same goes for some Internet cafes that don't allow USB devices to be plugged in, and some corporates perhaps. The great thing is that it does work without drivers for any computer that has a USB keyboard interface.

Duo Security might be a better option for desktop and phone use. It is more or less a superset of Google Authenticator, with phone/text callback as well as smartphone apps, but also has the option of a hardware token with display for the random passcode.



Posted Dec 8, 2011 9:49 UTC (Thu) by Yenya (subscriber, #52846) [Link]

I have tested yubikey briefly, and altough it is an interesting technology, I found it unusable for my needs, because of two problems:

- central authority: I maintain several servers, and I want to be able to log in even in case the server is half-broken (i.e. DNS or network only partly functional). For an ordinary user, Yubikey is a great technology. For a server admin, not so much.

- multiseat: at home, I have a multiseat workstation, and I have so far not found an easy way how to configure to which head the hot-plugged keyboard (the yubikey module) should be mapped. I have primary keyboards for both seats configured statically in their respective ServerLayout sections in xorg.conf.


Posted Dec 8, 2011 12:30 UTC (Thu) by Cato (subscriber, #7643) [Link]

For the server case, you would need to have a non-Yubikey login method not using two factor, and this applies to almost any two factor system I would think. Since this 'recovery login' would only be used in the 'something very broken' case, it's not too vulnerable to keyloggers on the client. Google Authenticator has a recovery process with pre-printed emergency token codes, which may be better.

For multiseat, a USB-based login method may not be very suitable as it requires the login process to know more about Yubikey - perhaps a smartphone or traditional token would work better.


Posted Dec 9, 2011 0:49 UTC (Fri) by wahern (subscriber, #37304) [Link]

Regarding the central authority, it's no different than any other method--the server needs access to the secret (or public key) in order to authenticate. Just put the secret on all the servers.

It doesn't matter if the HOTP counters on the servers become out of sync with each other as long as the counter on the key is monotonically increasing. The servers will fast forward until they find a match (within a configurable limit).

Admittedly you open yourself up to replay attacks. But you're hardly in a worse position than with regular passwords. TOTP is better in this regard, but what matters is how much better HOTP is compared to the baseline.

I pine for the day when my Goldkey USB crypto token works out-of-the-box (or my 10 year old Schlumberger crypto card, for that matter), but that day isn't here yet.


Posted Dec 9, 2011 1:01 UTC (Fri) by wahern (subscriber, #37304) [Link]

Has anybody purchased tokens from They're the only seller of single-unit TOTP tokens I have found so far, and other than Goldkey of public-key crypto tokens as well.

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds