It's pretty crazy that Facebook has #Yubikey / #FIDO2 support but my banking app doesn't.

Webauthn questions:

1) When I create a passkey for a service, one of the options (on apple OSs, anyway) is to use a security key like a YubiKey. I assume that means I need to whip out my YubiKey every time I want to log into that service.

Yubico recommends buying more than one physical key, in case you lose the primary key you have a backup. But how do I back up a passkey I created through Apple UI with another YubiKey?

2) I see no way for a service to require both a passkey (with or without physical key) *and* a passphrase of some kind. Since I'm most likely carrying my YubiKey with my iPhone at all times, all someone needs to do is knock me out*, touch my finger to my phone (or hold it to my face), and log in to whatever. Requiring a passphrase to unlock my local private keychain is the only way to protect against this kind of attack, but I see no way to enforce that level of security.

*Mind you, I don't have access to anything I think anyone is willing to knock me out for, but who knows what a savvy street thug might learn to do opportunistically?

#webauthn #passkey #yubikey

Btw, I think #PAM is an underrated piece of tech. It's pluggable, so you can implement whatever authentication strategy you want. Fingerprint check? Face recognition? You tell me.

But not only this. It can be used beyond login managers. There was one time when I played with alternative authentication for #sudo program. In my case, I wanted to tap on my #YubiKey instead of using password. It proved inconvenient, so I rolled things back, but it's fascinating how easy it was to configure this.

Random question: Why does the yubikey type a random string into the computer when pressing on the logo without it blinking?

#yubikey #askfediverse #question

Get your #Yubikey ready, WebAuthn will soon be a free feature for #Bitwarden users.

#passwords

https://github.com/bitwarden/server/commit/6db02e2e5c1a49c24a053780c1b6f9ce9120764a

Thanks @chiefgyk3d for the YubiKey and fidget toy! He's got some donated from #Yubico to giveaway on Twitch streams, so check out his stream to get in on the Marbles games and win a #yubikey. #security

@steffo I have a #YubiKey 5. When I got it, they didn't have the Security keys, and I wanted one with #OpenPGP support anyway.

For me, WebAuthn is the killing feature. No more TOTP, yay! I do not use OTP generation on the key, though, as it would require me to have both my phone and my key on hand to generate OTPs.

Another thing I often use with it is the PIV auth for my MacBook, which is especially handy when it's closed and connected to a monitor.

If I use my #Yubikey for passwordless #FIDO2 login with services like Google or Nextcloud and someone steals my Yubikey, are they able to just log in to those services with it? #askfedi

Nochmal die Frage, bevor ich unnötig viel Geld für ein neues gebrauchtes Telefon ausgebe:

Gibt es eine Möglichkeit, die biometrische Entsperrung in entgoogletem #Android ( @iode oder @GrapheneOS ) durch einen am USB Port angeschlossenen #Fingerabdrucksensor (bzw meinetwegen auch #yubikey oder ähnliches) oder vielleicht mittels RFID-Tag über die eingebauten NFC-Antenne durchzuführen bzw. zu substituieren?

https://rheinneckar.social/@walsonde/110900839486524313

Guess who lost and found his #YubiKey again. ... Sucked it out from the USB port. 😅

@FirefoxNightly Hey there :)
Just noticed that on the latest nightly build my Yubikey no longer works when trying to authenticate to gmail

I launched a repair mode session but it didn't help.

I'll be checking for existing bugs later today but so far it's a blocker on my end.

#Firefox #Nightly #2FA #Yubikey

I've recently changed my GPG settings on Yubikey and I wonder how are others using it
#openpgp #yubikey

@f0x i 💙 my yubikey.
#yubikey

Has anyone configured the yubikey 5 with debian 12 to login to the system and have a tutorial? #debian #12 #help #yubikey

Following the Electoral Registrar confirming a serious breach of our data that they’ve collected I’ve finally pulled the trigger on two #Yubikey keys to harden my own login security and stop relying on SMS as the 2FA route. Have held off because my concerns of losing the physical keys and thus access to associated accounts. But the odds of being hacked are growing not shrinking.

Bah... I just realized my 3 year #gpg signing, encryption and authentication keys are all expiring in a month. Time to dig out the "how to do gpg keys on a yubikey" instructions on github and find my offline master private key.

#yubikey

Does anyone have an updated guide for installing #Arch with full disk encryption - using a #yubikey as part of MFA decryption?

There are a few old articles/blogs - but some of them seem quite outdated. I found this: https://www.endpointdev.com/blog/2022/03/disk-decryption-yubikey/ for Ubuntu that looks like it would work for Arch - if I use dm-crypt?

#archlinux #fde #encryption

edit: removed non-functional markdown link

Rozwiązanie konkursu „Złam sekurakowe hasła”. Prezentujemy również metody łamania haseł użyte przez zwycięzców (writeupy!)

17 lipca ogłosiliśmy konkurs w którym do wygrania były klucze Yubikey od Yubico. Do złamania było 12 hashy ze strony http://recon.zone/hashez.txt. Rozstrzygnięcie nastąpiło 19 lipca w samo południe. Większość uczestników do działania zaprzęgło narzędzie hashcat. I nie, nie chodziło by wykorzystać możliwości wielu kart GPU. Trzeba było wykorzystać narzędzie sprytnie,...

#Teksty #Awareness #Hashcat #Hasła #Konkurs #Yubikey
https://sekurak.pl/rozwiazanie-konkursu-zlam-sekurakowe-hasla-prezentujemy-rowniez-metody-lamania-hasel-uzyte-przez-zwyciezcow-writeupy/

So apparently, according to Yubico's CS, they accidentally placed a "normal", no-barcode Security Key into an "Enterprise Edition" packaging and told me not worry about it. They advised me to reset the key with ykman if I was still worried.

#yubikey #yubikeys #yubico #OnlineSecurity #CyberSecurity #hardwarekey #securitykeys #fido2

I appears that if you have registered a #Yubikey as a FIDO2 key in #Bitwarden, it allows this but for reasons unknown it doesn't work. Fortunately I discovered I also setup another 2FA login method which allowed me to log in. I have now removed this key from my account and configured 2 others in its place.

If you configured a Yubikey against your Bitwarden account, go check now that it works, and if it doesn't take the time to redo your 2FA configuration. Do it now!