adrianh77 Wrote:Two factor auth refers to the fact that two different authentication mechanisms are used to authenticate the user. Having two usernames/emails and passwords does not qualify as two factor auth. Not only that, but this option is disabled by default so you are guiding your users into an insecure default setting while reassuring them that it's safe because it's two factor auth.
A keylogger installed on my machine will capture both passwords. First auth mechanism is usually what you know (username and password) and second mechanism is what you have (USB drive, smartcard, etc.). I understand that some of your users have lost their YubiKeys and they were upset, but I'm afraid you have thrown out the baby together with the water. By allowing a user authenticated only through a password to disable the YubiKey authentication you are rendering the whole thing useless. The proper fix would have been to show a big red warning that the user data will be lost if the password or the YubiKey is lost and have the user accept that warning, and not allow changing settings only with master password. Next best thing would probably be to give me a setting that would require both master password and YubiKey authentication in order to disable YubiKey.
This is a pretty big blunder in my opinion, especially from the leading Password Manager app, very disappointing.
Simply put in a dummy email address as your Security Email Address - ie. firstname.lastname@example.org - and what ever email is sent to disable your Yubikey, is non-existent, thus you can't disable the Yubikey.. Problem solved.
adrianh77 Wrote:This is a ridiculous proposal, yes I've already read this proposal on another thread on this forum. Why don't you write an email an put your SSN, name, address, phone numbers, bank account user names and passwords in the body and then email it to email@example.com because that email address does not exist? .... this is how I feel about this proposal.
adrianh77 Wrote:Your mindset about security is wrong, I'll keep looking, functionally you probably have a good product, but I'm not convinced about its security, even less than before after this discussion. Thank you!
Users browsing this forum: No registered users and 21 guests