Yubikey

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, JoeSiegrist, robyn

Yubikey

Postby mikelines » Fri Feb 20, 2009 3:56 pm

Has any consideration been given to supporting Yubico's Yubikey OTP (one time password) device? I would like to be able to use this for the master password for my lastpass account. The lingering concern I have about any centralized password storage solution, whether local only like roboform or online like formarks or lastpass, is that if you compromise the master password, you have compromised all the accounts underneath that master. With the Yubikey solution, you in affect have a 2 factor authentication solution (if you combine the yubikey with a pen). The code appears to be relatively simple to implement to have a back end auth server for the yubiley devices.

I'd like to hear your thoughts on implementing this and whether you have any plans to do so. PS - I am also not discussing using the Yubikey in its static password mode, but rather in the dynamic mode it was intended for.

Thanks,

Michael
mikelines
 
Posts: 11
Joined: Fri Feb 20, 2009 9:35 am

Re: Yubikey

Postby ITBuddha » Sat Feb 21, 2009 11:11 am

Bump!

I would love to know how "lastpass" feels about Yubikey and if they have future plans to implement it.
Thanks
ITBuddha
 
Posts: 1
Joined: Sat Feb 21, 2009 11:08 am

Re: Yubikey

Postby JoeSiegrist » Sat Feb 21, 2009 10:06 pm

We like the Yubikey -- we're playing with it now. We haven't decided how we'll implement it yet (as a 2nd factor or as a replacement/augmentation of your single factor).

Joe
JoeSiegrist
 
Posts: 4185
Joined: Wed Aug 20, 2008 10:40 am

Re: Yubikey

Postby mathys » Thu Feb 26, 2009 6:17 pm

I second the possibility of using the yubikey in its OTP mode. If you guys can get that implemented into lastpass it would the great. As Mikelines mentioned having your 1 password open up all your other ones is always in the back of my mind. One less thing to worry about in case of a key logger.

Thanks for a great product.
Mathys
mathys
 
Posts: 14
Joined: Thu Aug 28, 2008 2:58 pm

Re: Yubikey

Postby Crusader » Sat Mar 21, 2009 8:24 am

Hello,

I watched your screencast about Yubikey. So you only use the master password to encrypt my passwords, right? Then if I store my encrypted passwords locally, I could decrypt them without Yubikey, even if choose to use Yubikey?

You claimed in the video that in order to someone has access to my passwords, one would need my
-email
-master password
-Yubikey hardware

But there is another way to access my passwords, this needs:
-the encrypted passwords
-the master password

So if someone steals somehow the encrypted passwords (for example, from your S3 storage), then it does not matter whether I used Yubikey or not, is it true?

Is it possible to have 2 totally same Yubikey hardwares (1 for useage, 1 for backup)?

(Did you really use Firefox 2 in that screencast? It is discontinued and contains unpatched security holes.)
Crusader
 
Posts: 32
Joined: Sat Feb 28, 2009 6:31 pm

Re: Yubikey

Postby h0pc » Sun Mar 22, 2009 2:38 pm

I like the idea (if possible) of having 2 yubikeys. One for each keychain.

-E
h0pc
 
Posts: 224
Joined: Wed Aug 27, 2008 5:27 pm

Re: Yubikey

Postby JoeSiegrist » Sun Mar 22, 2009 6:45 pm

Crusader Wrote:So if someone steals somehow the encrypted passwords (for example, from your S3 storage), then it does not matter whether I used Yubikey or not, is it true?


The S3 backup storage is further PGP encrypted but essentially yes this is true -- the issue we face here is if we use your Yubikey as part of your key it then locks you out of places where yubikey won't go (e.g. your mobile phone), and would lock you out completely if Yubico ever went under...or was even offline.
JoeSiegrist
 
Posts: 4185
Joined: Wed Aug 20, 2008 10:40 am

Re: Yubikey

Postby Crusader » Mon Mar 23, 2009 6:11 am

Is it possible to own 2 Yubikey hardwares, which are the same? I mean if I lost the first one, I can use the second one without doing anyhting?

You should warn users before using Yubikey, because it is dangerous how the system works.

If the user lost the Yubikey, he/she can request to disable it, if he/she clicks on a link in email. But of course most users would store the password for the email service in Lastpass. Which means if you lost your Yubikey, you can't request to disable it via email. Don't you think it is dangerous?

In fact if you use Yubikey, you must use a dedicated email address just for Lastpass, and you have to remember the password for your email, in case of lost Yubikey.

Do you think thats users are aware of this?

What do you think about this: Yubikey Security Weaknesses
Crusader
 
Posts: 32
Joined: Sat Feb 28, 2009 6:31 pm

Re: Yubikey

Postby Crusader » Thu Jun 25, 2009 5:59 pm

Great. I just received my Yubikey (1.0), and I immediately got an email from Yubico that Yubikey 2.0 is ready, and they are shipping it now. But I ordered the version 1.0, lol.

They offer 45% discount for existing owners if you order at least 9 Yubikeys...

But with shipping, tracking number and VAT Yubikey costs $50, so it isnt cheap.
Crusader
 
Posts: 32
Joined: Sat Feb 28, 2009 6:31 pm

Re: Yubikey

Postby Tiger5252 » Sun Jun 28, 2009 1:09 pm

I would agree with you if all of Fredrik Björck's problems with the yubikey were not looked at by Yubico and fixed. Every single one of his comments "Weaknesses" have been taken care of. That tells me that the company is hard at work to fix any and all problems with there key.

To answer your question about being able to have 2 keys, you have to to have both keys using the same 128 AES key and both of them would have to have the session counter the same for both keys which they wouldn't be see this link to understand why.

And finally i agree with you about the e-mail i think a revocation code method would be better like they us at Key Genius

At some point the user is going to have to be a little responsible for either keeping track of his key or the revocation code.

I do not work for either Yubico or Last Pass, just like the idea of having 2 factors of authentication protecting all my passwords.

Crusader Wrote:Is it possible to own 2 Yubikey hardwares, which are the same? I mean if I lost the first one, I can use the second one without doing anyhting?

You should warn users before using Yubikey, because it is dangerous how the system works.

If the user lost the Yubikey, he/she can request to disable it, if he/she clicks on a link in email. But of course most users would store the password for the email service in Lastpass. Which means if you lost your Yubikey, you can't request to disable it via email. Don't you think it is dangerous?

In fact if you use Yubikey, you must use a dedicated email address just for Lastpass, and you have to remember the password for your email, in case of lost Yubikey.

Do you think thats users are aware of this?

What do you think about this: Yubikey Security Weaknesses
Tiger5252
 
Posts: 1
Joined: Wed Jun 10, 2009 6:52 pm


Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 18 guests