[HN Gopher] What I Wish I Knew About U2F and Other Hardware MFA ...
___________________________________________________________________
What I Wish I Knew About U2F and Other Hardware MFA Protocols
Author : dylanz
Score : 32 points
Date : 2021-04-16 19:48 UTC (2 hours ago)
(HTM) web link (goteleport.com)
(TXT) w3m dump (goteleport.com)
| travgary wrote:
| I think HSM's are just expensive because of price gouging rather
| than cost of the device? Like the Yubikey HSM is the same form
| factor as the Nano FIPS key but over 10x the price.
| hlieberman wrote:
| Generally speaking, they're both: 1) higher performance, and 2)
| held to a much higher standard in terms of certifications they
| need.
|
| For example, a normal YubiKey is unrated, a YubiKey FIPS is
| level 2 rated, and a Thales HSM is level 3 rated with all sorts
| of zeroization hardware.
| travgary wrote:
| Interesting, maybe also the development costs too. They sell
| way less volume of HSMs compared to the standard keys but the
| HSM's require I'm sure some very rigorous development and
| testing.
| foolmeonce wrote:
| > HSM's require I'm sure some very rigorous development and
| testing.
|
| I think they mostly require an outside evaluator to do a
| sort of documentation process that costs somewhere around
| $500k depending on complexity on a new product, and maybe
| $50k just for up-versioning.
|
| It's generally hard to get that money back on a product
| since the market of organizations that need the
| certification is tiny and then the larger overall market
| for a security product is also usually small and not so
| happy to defray those costs.
| cronos wrote:
| Mostly yes. It's a niche product with low demand and relatively
| high R&D costs, so margins have to offset that.
|
| There's probably also a bit of psychological biases at play,
| like: "if your HSM is 10x cheaper than everyone else's, it must
| be crappy and insecure".
| christiansakai wrote:
| For a noob like me, I am thinking to get a Yubikey. What will
| happen if I lose my Yubikey? Am I essentially out of luck
| assuming the admins can't reset my password or associated yubikey
| device?
|
| How do I prevent such scenario from happening? Is there truly a
| fool proof way of hardware authentication?
| Tomte wrote:
| Usually people buy a second Yubikey, enrol both and have the
| second one somewhere safe.
|
| Most services and web sites also give you emergency login codes
| to print out, though.
| busterarm wrote:
| This is the thing to do.
|
| But I would suggest SoloKeys instead.
|
| I use these to log into my Linux systems, in combination with
| a password. pam_u2f was pretty easy to setup.
| exporectomy wrote:
| For services where no admin can get your access back, like
| most websites, a 3rd factor should be a compulsory part of
| 2FA. There's a balance between keeping hackers out and
| keeping yourself out. The more factors you require, the more
| optional factors you should also require users to have, not
| just optional codes but "you must write these codes down,
| we'll check later to make sure you did" or something like
| that.
| sly010 wrote:
| Buy 3 keys. Register all of them to your account. Then register
| all of them to your spouses account too. Put one on your
| keychain. Put one on your spouses keychain. Put one in a safe
| place.
|
| By enrolling my spouse and cross registering all keys, both of
| us are safe. We might loose our keychain, but we will always
| find each other, even when we are traveling.
|
| This works for Google and GitHub, but not every service allows
| for multiple keys. But this should be a no-brainer imho.
| BoppreH wrote:
| Doesn't that mean that stealing any of the 3 yubikeys means
| full permanent compromise of all your and your spouse's
| account?
|
| I think a good with system should include some sort of
| revocation, like a master key you can keep in a safe to
| revoke there's devices.
| 1MachineElf wrote:
| No, it does not mean that. At least in my experience, every
| service where I have multiple YubiKeys registered still
| requires my username and password. Without those, someone
| who stole the YubiKey would not be able to login to my
| accounts.
| TacticalCoder wrote:
| From TFA:
|
| > Since the U2F device creates and stores asymmetric key pairs,
| and is able to sign arbitrary "challenges", can I use it as a
| general-purpose hardware key store?
|
| You can however do it "the other way round" and use a private key
| to derive a U2F path. And that same private key can be used for
| many other applications (or none). For example you can use the
| Ledger Nano S (originally a cryptocurrencies hardware wallet),
| which has an HSM, with your "seed" (say a 256-bit secret, stored
| as 24 words you hide), to log in sites using U2F.
|
| Additionally as long as you've got your secret, you can
| reinitialize your Nano S (or another one) as a new U2F device and
| there's no need to reset your U2F credentials on the site as the
| newly initialized device shall work exactly as if it was the old
| one.
|
| Fun fact: the CTO of Ledger was part of the group working on the
| original FIDO specs.
| scott00 wrote:
| I thought PKCS#11 was exactly what the author wanted: an API for
| performing arbitrary sign and encrypt operations using a hardware
| protected key. What doesn't it do?
| loloquwowndueo wrote:
| A tomu (https://tomu.im/tomu.html) can be used as a U2F device.
| Since it's hackable and the code for U2F is available maybe it
| can be adapted as the author was asking (do you know of a
| device...?)
___________________________________________________________________
(page generated 2021-04-16 22:00 UTC)