|
|
Subscribe / Log in / New account

A comparison of cryptographic keycards

A comparison of cryptographic keycards

Posted Oct 18, 2017 13:38 UTC (Wed) by madhatter (subscriber, #4665)
Parent article: A comparison of cryptographic keycards

> Finally, the NEO has this peculiar feature of supporting NFC for certain operations [...] but I haven't used that feature yet.

For me, this is one of the most useful features of my Yubikey, because when used with my LineageOS 'phone running Yubico Authenticator, it can generate quite a lot of TOTP OATH codes. Since Google Authenticator has become fairly ubiquitous for website 2FA, this has allowed me to turn on 2FA on every account I have that allows it (I have six different OATH codes stored on the Neo right now, and more are likely to be added shortly).

I'd say at this point that I use my Neo about four times as often for TOTP OATH as I use it for keyboard-based OTP authentication. You might want to take a second look at the NFC support.

to post comments

A comparison of cryptographic keycards

Posted Oct 19, 2017 16:58 UTC (Thu) by anarcat (subscriber, #66354) [Link] (2 responses)

You might want to take a second look at the NFC support.
I didn't expand on this too much in the article because that wasn't the main point, but the reason why I don't use NFC is twofold.
  1. First, I don't use mobile phones very much. I find them intrusive, fragile and unreliable. Way too much proprietary stuff, and I just don't trust them. So the stuff I would need OTP for on the phone is most likely more critical stuff I would never do on the phone in the first place, so meh.
  2. Second, I don't know how NFC works so much. I don't know what encryption mechanism is used, which power or radio band it's using, so I can't decide how really secure that thing is. And I don't really care to know, because of #1. :p At this point, I feel it's just a liability that this thing has radio capabilities to possibly exfiltrate data...

A comparison of cryptographic keycards

Posted Oct 21, 2017 16:00 UTC (Sat) by raven667 (subscriber, #5198) [Link] (1 responses)

This seems like so much voodoo without a threat model. OTPs on an NFC token is still much safer than OTP secrets on an internet connected device, NFC is extremely short range, like 1cm or less, and I believe NFC devices draw power inductively, so the threat requires close physical presence. It's not so different than an RSA token, someone could just take it from you. Like any similar device it is designed so that you can write secrets to it but you cannot read them back out, only the current token value, which makes an attack like an NFC reader brushing your pocket, which is probably far outside your threat model, less useful as they could only get a single value, not much different than spying an RSA token on a table.

A comparison of cryptographic keycards

Posted Oct 22, 2017 4:04 UTC (Sun) by nix (subscriber, #2304) [Link]

Also, what can an attacker do with access? Generate as many TOTP OATH codes as they like. And they could use this to... grant you, the owner of the key, access to various resources. Worrying about this seems about as sensible as worrying about your SSH public keys getting out.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds