Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yubikey Neo Teardown and Durability Review

Posted by timothy on from the do-not-place-in-any-mailbox dept.

An anonymous reader writes: Folks at HexView (disclaimer: I contract for the company) took apart Yubikey Neo and found out that, while the key uses solid hardware to ensure secure identity management, its physical anti-tamper measures and durability could be improved. The tear-down analysis is short, but to the point, and offers some very nice close-ups of the internals. One example of the design shortcomings they've identified: Contrary to Yubico's claims, Yubikey appears to be quite destructable. Do not push on it when you touch the sensor while the key is plugged in to a USB port. The point where it bends the most happens to be the point where USB vias are located and through which NFC antenna loop goes. To make things worse, the injection molding hole right next to the connector makes this area even more susceptible to bending.

88 comments

  1. Okay, what is it? by TWX · · Score: 4, Insightful

    The branding, "Yubikey Neo," means nothing to me. Sounds like an Asian version of the main character from The Matrix.

    --
    Do not look into laser with remaining eye.
    1. Re:Okay, what is it? by DrunkenTerror · · Score: 2

      "Yubikey?" No, I walkie. She drovie.

    2. Re:Okay, what is it? by jellomizer · · Score: 2

      Exactly. Even on a site for Computer Geeks and Nerds, It is silly to think we know of every new fangled device that is released, and their particular marketing claims of the day.
      Being the poster contracted for the company, it probably means he is engulfed in the sales and marketing of the company and makes him believe that this is a really popular product. While it just covers a small niche.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re:Okay, what is it? by Anonymous Coward · · Score: 0

      This is Slashdot, not SoylentNews. We read the article here first, then comment later.

      If you had done the right thing, and read the article first, you would have seen this in THE FIRST GODDAMN SENTENCE of the article:

      Yubikey Neo is a $50 authentication token (with bells and whistles) from Yubico.

    4. Re:Okay, what is it? by OzPeter · · Score: 5, Insightful

      Try Google.

      I have one on my keyring. I know exactly what it is, and what it is used for.

      In other words you have prior information that makes sense out of the word salad that passes for summaries these days.

      The rest of use just look at the summary and go WTF?!?!?!?

      And yes, I have heard of that Google thing, but one of the prime tenets of good communication is to not make your audience go elsewhere for fundamental information. Because sooner or later they will be going to other sources for all of their information and will be by-passing you completely.

      --
      I am Slashdot. Are you Slashdot as well?
    5. Re:Okay, what is it? by willworkforbeer · · Score: 1

      Line 1 from The Fine Article linked in summary: "Yubikey Neo is a $50 authentication token (with bells and whistles) from Yubico."

      --
      Pretending this is my office full of bitter coworkers..
    6. Re:Okay, what is it? by ZombieDonut · · Score: 3, Funny

      Haha, I thought the same thing, "They're certainly talking about something... something that... uhhh... apparently is made like crap?" I would've claimed this to be corporate shill, but the article isn't flattering, and this would be the worst advertisement ever. I get more information from late night drug commercials than this.

    7. Re:Okay, what is it? by antiperimetaparalogo · · Score: 4, Insightful

      Line 1 from The Fine Article linked in summary: "Yubikey Neo is a $50 authentication token (with bells and whistles) from Yubico."

      And the whole Slashdot summary: "An anonymous reader writes: Folks at HexView (disclaimer: I contract for the company) took apart Yubikey Neo and found out that, while the key uses solid hardware to ensure secure identity management, its physical anti-tamper measures and durability could be improved. The tear-down analysis is short, but to the point, and offers some very nice close-ups of the internals. One example of the design shortcomings they've identified: Contrary to Yubico's claims, Yubikey appears to be quite destructable. Do not push on it when you touch the sensor while the key is plugged in to a USB port. The point where it bends the most happens to be the point where USB vias are located and through which NFC antenna loop goes. To make things worse, the injection molding hole right next to the connector makes this area even more susceptible to bending."

      Now imagine the Slashdot summary with something like the "Line 1 from The Fine Article linked in summary" that explains what the linked article is about...

      --
      Antisthenes: "Wisdom begins by examining the words/names." - excuse my English, i am (slightly...) better with my Greek!
    8. Re:Okay, what is it? by OzPeter · · Score: 4, Interesting

      Agh, wtf is a salad?

      Apparently you need some help with understanding something. So here is a helpful link: Word salad

      --
      I am Slashdot. Are you Slashdot as well?
    9. Re:Okay, what is it? by geekmux · · Score: 1

      Try Google.

      I have one on my keyring. I know exactly what it is, and what it is used for.

      In other words you have prior information that makes sense out of the word salad that passes for summaries these days...

      Quite true, especially in today's music climate where a tossed salad is served up hot and fresh with a side of truffle butter.

      (Yeah, go ahead, take your own advice and enjoy Google on that one.)

    10. Re:Okay, what is it? by AikonMGB · · Score: 1

      *facepalm*

    11. Re:Okay, what is it? by Ryyuajnin · · Score: 2

      The Yubikey can serve as a One-Time-Password(OTP), Universal Second Factor (U2F) Authentication, Etc. I primarily use it for the U2F, which is similar to an RSA Token, but it conveniently eliminates token expiration anxiety, and errors frequently caused by chronic butterfingers. I just jam it into a USB port, it gets recognized as a keyboard, I press the little light on the top, and boom!

      The NEO is similar to the standard blue Yubikey, additionally supporting NFC for some protocols. Unfortunately, U2F is NOT supported through the embedded NFC chip. https://www.yubico.com/product...

      When I bought mine, I was hoping to use it as a physical password on my smartphone, simply swiping across the back side, as available with the OTP protocol. I later found out that would be forced to use the USB on everything, and have yet to find any use for the NFC with U2F. (my fault for not reading the documentation more thoroughly, as they clearly state: "...current U2F standards do not support NFC for mobile devices.")

      Long story short, if you only need the U2F, don't bother with the NEO. just get the cheaper FIDO U2F SPECIAL SECURITY KEY https://www.yubico.com/product...
      As far as durability, its survived me for about a year now, and I'm not known being gentile.

    12. Re:Okay, what is it? by Echo_Hotel · · Score: 5, Informative

      It's a USB/NFC multi-factor authentication token.
      It acts as an additional requirement to logging in to a computer, cellphone or network beyond a password.
      YubiCo is a company that makes budget security tokens with the YubiKey Neo being their "top of the line" at a price of 50usd
      One of the main security features of tokens of this nature is their inability to be tampered with since it is guaranteed to be connected to a computer.
      Many manufacturers achieve this by "potting" the circuit board (coating it entirely in plastic rather than using a shell like most electronics) in some sort of difficult to remove chemically resistant plastic.
      The YubiKey Neo was potted in a plastic that melted totally in nail polish remover
      The fact that the plastic can be removed so easily along with a poor USB connector and keychain loop disprove YubiCo's claim that the YubiKey Neo is "virtually indestructible".

    13. Re:Okay, what is it? by Anonymous Coward · · Score: 1

      "World salad" is an established part of the English language. "Yubikey Neo" is some niche trademark neologism.

    14. Re:Okay, what is it? by TheCarp · · Score: 1

      > And yes, I have heard of that Google thing, but one of the prime tenets of good communication is to not make your audience go elsewhere for fundamental information.

      No, I don't think you quite got it there.

      However the fundamental tennent of answering a question is actually answering it. If all you have to say is "I know, but I am not going to tell you", you haven't actually communicated anything because knowing that you know is, in every way, equivalent to not knowing at all.

      Its not communication at all, its just noise like pans falling down stairs, noise without signal.

      --
      "I opened my eyes, and everything went dark again"
    15. Re:Okay, what is it? by Anonymous Coward · · Score: 0

      Even on a site for Computer Geeks and Nerds, It is silly to think we know of every new fangled device that is released, and their particular marketing claims of the day.

      Dude, RSA Tokens have been around since the 90's, and two-factor authentication for even longer (although I admit not as widely known/used for nearly that long)

      In a couple years your mind will really get blown away by this new gopher replacement product that just came out called the world-wide-web!
      Personally I can't wait to add images to my list-item menus! Although I doubt this new fangled font/stylized text thing will ever work out properly in practice.

    16. Re:Okay, what is it? by GTRacer · · Score: 1

      No thank you. I have already experienced definitions for those terms via Imgur and Twitter.

      Oddly enough, I was taking the last bite of a late lunch when I processed "truffle butter", and now I'm a bit ill. Thank you for that...

      --
      Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
    17. Re:Okay, what is it? by Anonymous Coward · · Score: 0

      English language?
      This is teh intarwebs, speak standard interLang 35.3 or later, faggot. Or at the very least Google omniglot version breakfast sandwitch.
      Or fallback to cat picture semaphore if your illiterate or a Microsoft Surface user.

    18. Re:Okay, what is it? by ememisya · · Score: 1

      It's a great tool for typing in long passwords (provided you keep it physically secure), or working with two factor auth mechanisms. I had reviewed YubiKey Standard a while back, you can find further information on here.

    19. Re:Okay, what is it? by ArsenneLupin · · Score: 2

      It acts as an additional requirement to logging in to a computer, cellphone or network beyond a password.

      Actually, it supplies the password. When you plug it into an USB port, it acts as a keyboard, and "types" a one-time password as soon as you touch its button.

      One of the main security features of tokens of this nature is their inability to be tampered with since it is guaranteed to be connected to a computer.

      Huh? How does being connected to a computer guarantee that it is tamper proof? Or is that the other way round?

      The YubiKey Neo was potted in a plastic that melted totally in nail polish remover
      The fact that the plastic can be removed so easily

      Actually, methinks the issue here is poor word choice. Yubi should have touted their product as "tamper evident" rather than "tamper proof".

      For its main application, tamper evident is enough. If some ill intentioned third party wanted to read the seed from the Yubikey's chip, they can, but it will be very obvious to the owner that this has been done (casing is gone), and so the owner can have his key blacklisted by his provider (making the seed worthless for the attacker).

      Oh, an if you're worried about a "fast" attacker that uses the pilfered credentials immediately, rather than sleeping on them for a while: he can achieve this much easier by just stealing the yubikey, and using it normally, rather that bothering to dissolve its casing first.

      along with a poor USB connector and keychain loop disprove YubiCo's claim that the YubiKey Neo is "virtually indestructible".

      Good point on that one. Accidental destruction (causing hassle, but not a security issue) is indeed a real concern with the device.

    20. Re:Okay, what is it? by ArsenneLupin · · Score: 1

      Or even better: Yubikey is an authentication token that acts as a USB keyboard that "types" a long one-time password at the press of a button.

    21. Re:Okay, what is it? by antiperimetaparalogo · · Score: 1

      Or even better: Yubikey is an authentication token that acts as a USB keyboard that "types" a long one-time password at the press of a button.

      Imagine if someone could write something like this in a Slashdot summary - it would be the end of Slashdot as we know it...

      --
      Antisthenes: "Wisdom begins by examining the words/names." - excuse my English, i am (slightly...) better with my Greek!
    22. Re:Okay, what is it? by jellomizer · · Score: 1

      The Article didn't make it clear it was an RSA token. It was just using the brand name.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  2. Pretty durable in my real-world use. by hawkeyeMI · · Score: 3, Interesting

    I have one that I've carried and abused daily for years, still working, though I think it's getting close to needing a replacement. My biggest problem, because I wear it on a necklace chain, is that it's been getting sweat on the contacts which eventually have gunked up and corroded. I was able to scrape it off with a knife, but that scraped off the gold plating and exposed the copper underneath, which is of course corroding much worse. I've got the private key locked away here somewhere so I can flash one of my spares and be up and running quickly, or I can just add the new key to the places I use it before it croaks. I've had more problems with USB ports getting worn out.

    --
    Error 404 - Sig Not Found
    1. Re:Pretty durable in my real-world use. by pz · · Score: 4, Interesting

      You might try using a pencil eraser next time instead of a knife. Wiping vigorously with an alcohol-saturated paper towel first (and really, any easily obtainable alcohol, whether vodka, rubbing alcohol, etc.) helps, too.

      --

      Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
    2. Re:Pretty durable in my real-world use. by countSudoku() · · Score: 1

      Sound advice, but why not just put a cap on the usb port to cover the sheer "undestructibleness" of the key of crap?

      I'm sure this key-chain security dongle (heavy on the DONG) is as secure as it is indestructible. Like the RSA token is super secure, except from every three-letter asswipe with a badge, a gun, and a laptop running G-nessus

      --
      This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
    3. Re:Pretty durable in my real-world use. by mlts · · Score: 1

      I recommend Deoxit for stuff like this. It not just de-gunks contacts, but leaves a coating of residue to help with further oxidation. I'd also find a way to cover the tip of it as well.

    4. Re:Pretty durable in my real-world use. by hawkeyeMI · · Score: 1

      Thanks. This is probably the best option. I haven't ever had to deal with this before recently so I just used what I had handy -- my multitool. I also have a few cans of CorrosionX.

      --
      Error 404 - Sig Not Found
  3. Durability concerns valid, but... Tampering? by allquixotic · · Score: 1

    Not sure what benefit "tampering" would provide. Why would you have to take it apart to extract its secrets, when you can just: steal the person's smartphone/computer and the yubikey, and use them in tandem to authenticate yourself as the user to whatever services they have locked behind it? You can use the Yubikey all by itself, assuming you have exclusive physical access to the device, to make it serve its purpose for you, the attacker.

    Durability concerns are valid, but I keep it in my wallet, and it is working fine for me after some time (about a year and a half). I mainly use it NFC though. The USB connector being "raw" like that is probably more susceptible to damage than the NFC part which is hidden inside the plastic shell.

    1. Re:Durability concerns valid, but... Tampering? by Rich0 · · Score: 2

      Not sure what benefit "tampering" would provide. Why would you have to take it apart to extract its secrets, when you can just: steal the person's smartphone/computer and the yubikey, and use them in tandem to authenticate yourself as the user to whatever services they have locked behind it? You can use the Yubikey all by itself, assuming you have exclusive physical access to the device, to make it serve its purpose for you, the attacker.

      Sure, but you can ONLY use it while it is under your control if the embedded keys cannot be extracted.

      If they can, then you can duplicate the key and return the original, perhaps undetected. That gives you the ability to retain access to whatever was secured.

      There is definitely value in tamper-resistant key vaults.

    2. Re:Durability concerns valid, but... Tampering? by rthille · · Score: 1

      Sure, but if they have to destroy the key to get the secret, and are not just able to non-destructively (side-channel power attacks were published and Yubico added mitigations) get them, then I'd probably notice and use my offline revocation cert to revoke my credentials.

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    3. Re:Durability concerns valid, but... Tampering? by allquixotic · · Score: 1

      Good point; I didn't think of that.

      It's a very, very rare situation where I have to actually surrender control of my key for long enough that a *physical* (mechanical) attack could take place, though. Even at airports, I just have to put my wallet through the X-ray scanner. A highly specialized robot designed explicitly for this purpose might be able to take apart the key, duplicate it and put it back together seamlessly in the few seconds it's under the hood there, but no human could. And it's apparently highly resistant to non-destructive attacks.

      I *do* wish they'd make a YubiKey Neo with the same innards but with a very strong metal as the outer casing instead of plastic, and with a metal shroud over the USB connector instead of leaving the pins open to the environment (a corrosion and damage risk). It would make the end of it slightly thicker, but that's not a problem in my use case.

    4. Re:Durability concerns valid, but... Tampering? by mlts · · Score: 1

      I use a Yubikey Neo mainly for 2FA with Google's services. The main security boost from it for me is that it is a physical object, and the main avenue of attack for my stuff is via remote. Same reason I use Google's Authenticator app as backup on my smartphone.

      Since my Yubikey devices tend to be sessile resiliency isn't that important... but I am definitely not impressed with the durability. My eTokens [1] from SafeNet are far more durable, tamper resistant (once they started one piece epoxy manufacture), and can handle far more insertion cycles than the YubiKey can.

      I wish Yubico could charge more, and put some money into a stronger USB keyfob. For me, the delicate construction is OK (because I use multiple keys that stay with my devices)... but for people like the parent who actually tote it around, the construction is pretty much unacceptable.

      As for a key format for security, I wish the industry would have a special slot for that, as in some cases, NFC isn't acceptable. The best I've seen was the old Dallas Semiconductor "one wire" reader which worked even with high traffic. Since that is long gone, perhaps it is time to have something, even if it is just two small, durable conductive contacts on the side of a device for using a key, or using it for a key interchange.

      [1]: I have multiple for PGP, and use the keys as ADKs (which were generated on the device and never leave.) Other than finding drivers for them, they have served me well. Plus, if one uses PGP Desktop (er, now SED), one can use the eTokens as keys, so an attacker would have to have the token, and the PIN (which can be set to lock for good after a certain amount of guesses) in order to boot the machine.

    5. Re:Durability concerns valid, but... Tampering? by TheCarp · · Score: 1

      I don't have one, I have a competitors product the RSA key, which has no USB port at all, you type in the numbers it gives you. Little LCD screen and a buttion. I don't keep mine on any chain, I carry it seperately from anything else.

      However, I have to say, for what it is, I have been quite impressed with its durability, in fact, I would say it sets a standard that few devices I have encountered have met, but most all really should....has it ever been through the wash?

      My wife has unceremoniously washed, and dried (not hanging dry, in the electric dryer) my RSA key no less than 3 times. Each time it has stopped working properly for a few hours, occasionally displaying gibberish, but it has always started working ust fine again, and usually the visible water drops under the screen go away within a few days.

      After the first couple of times I paniced, I have since decided this is in fact the standard of quality we should expect from more devices.

      --
      "I opened my eyes, and everything went dark again"
    6. Re:Durability concerns valid, but... Tampering? by breagerey · · Score: 1

      If you're using it with a one time password to add 2 factor auth it doesn't matter if somebody gets the yubikey and/or pc.
      Something you have and something you know... you need both.

      *shrug
      not that many of us could resist a $5 decryption device for very long

    7. Re:Durability concerns valid, but... Tampering? by rthille · · Score: 1

      I'd love a yubikey neo (nfc) with the form factor of a Nike Fuel Band, but a bit lighter/slimmer. Something I could wear and even shower with, so I'd never worry about my auth token taking a walk. For bonus points make it difficult to unclip (so I'd wake if someone tried to take it off), and have a slide-switch to disable the NFC, so no one could read the auth token at a distance and replay it...

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    8. Re:Durability concerns valid, but... Tampering? by Anonymous Coward · · Score: 0

      Hence the importance of whether or not a device is tamper-resistant / tamper-evident.

  4. No they didn't. by Anonymous Coward · · Score: 0, Informative

    No they didn't. Unless Yubikey Neo is a person, they took apart a Yubikey Neo.

    When you omit article, it make you sound like chinaman.

  5. I've been meaning to get one ... by Hohlraum · · Score: 1

    and Google even supports them for authentication. Unless you are a paying customer and use Google for Work (Google Apps), they don't support that yet. :/

  6. Stupid question: how do you use it? by bradley13 · · Score: 2

    The purpose of the thing is clear enough, but how exactly do you use it? The website implies that it only works with applications that know about it, but that would seem to limit its usefulness a lot. Still, the information on the manufacturer's site is anything but clear.

    --
    Enjoy life! This is not a dress rehearsal.
    1. Re:Stupid question: how do you use it? by Enry · · Score: 1

      I have one of the earlier devices. It generates a OTP that goes along with your normal password. So you plug the device into an SSH port, ssh somewhere, enter your username, then password, then press the button on the Yubikey. It emulates a keyboard and spits out the OTP directly to wherever the keyboard has focus.

      Handy, but I have way too many systems to manage to add this in and have it make sense. I think the newer versions allow you to use NFC so you can put the OTP on a phone or tablet.

    2. Re:Stupid question: how do you use it? by wonkey_monkey · · Score: 3, Funny

      So you plug the device into an SSH port

      Are you from TRON?

      --
      systemd is Roko's Basilisk.
    3. Re:Stupid question: how do you use it? by qwijibo · · Score: 3, Interesting

      It's a second factor in two factor authentication (2FA) for applications that support it.

      The one I find to justify it entirely is LastPass. All of the random sites on the internet that need credentials can have automatically generated passwords that are stored encrypted and I never have to remember them. I just have to remember the LastPass password and have the Yubikey setup with my account. The Yubikey integration requires a LastPass Premium subscription.

      Of course, nowadays you can use google authenticator without having a piece of custom hardware or paying for LastPass Premium. But I don't mind supporting good companies with useful products.

    4. Re:Stupid question: how do you use it? by blueshift_1 · · Score: 1

      For the average consumer it isn't that useful (while it is certainly a neat toy that can be used). I see it more at the enterprise level where if you want to VPN into your company's intranet files, they typically want more than just the normal password. That's where this comes in, it verifies it is physically you as well as your knowledge of the login password (The basis behind 2-factor authentication). Many places use an SMS or app like Duo Mobile (what my company uses). This is just another way of doing this (it works if your phone is dead).

    5. Re:Stupid question: how do you use it? by Anonymous Coward · · Score: 1

      It has several possible methods that can be integrated: OAUTH-HOTP, TOTP (with software), static password, FIDO, or their own auth mechanism "Yubikey OTP".

    6. Re:Stupid question: how do you use it? by Enry · · Score: 1

      Yes. Sorry, meant USB.

    7. Re:Stupid question: how do you use it? by countSudoku() · · Score: 1

      Yes, he should definitely plug that sucker right into port 22 on the back of the Windows box in the lab and tell Dave afterwards and be sure and stop by the break room 'cus we have cake for birthdays today!

      --
      This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
    8. Re:Stupid question: how do you use it? by chihowa · · Score: 1

      It also has a CCID compatible secure element, so you can use it to store your SSH keys. Instead of setting up OTP on each server and pressing the button, just add the NEO's key to .ssh/authorized_keys on each host. Much simpler.

      It also acts as a OpenPGP Card and has support in Android for signing/decrypting email.

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    9. Re:Stupid question: how do you use it? by rthille · · Score: 1

      You can use it to store your GPG keys and then have GPG act as your SSH agent, so you can require the physical token to ssh to servers.
      I've got my Mac setup so I need my Yubikey for sudo as well.

      At work we use the GPG key on a Yubikey stashed _inside_ a server to sign our software releases. Someone could hack their way onto the server and if they became root could sign software with the key, but they couldn't copy the key to use later.

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    10. Re:Stupid question: how do you use it? by Enry · · Score: 1

      Oh nice. I think the one I have didn't support that functionality (or I missed it).

    11. Re:Stupid question: how do you use it? by Anonymous Coward · · Score: 0

      The NEO also supports the OpenPGP Smartcard specification. GnuPG has built-in support for this, without any messy configuration. So you can use the Yubikey to sign e-mail, or even to authenticate your SSH sessions. And unlike HOTP and TOTP, it doesn't require any server side support--just copy+paste the public key into .ssh/authorized_keys.

    12. Re:Stupid question: how do you use it? by Anonymous Coward · · Score: 0

      Only the NEO line has a smartcard, but that fact is almost completely unadvertised (which is weird, because that's almost the only difference between the NEO line and the original, less expensive line).

  7. And nothing of value was lost. by Hognoxious · · Score: 4, Insightful

    Wrong. On Slashdot we never read the article. We barely even scan the summary.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    1. Re:And nothing of value was lost. by Anonymous Coward · · Score: 2, Insightful

      Wrong.

      Incorrect. On Slashdot, we don't even fully read the comments. All I know is that I'm right, and you're attacking someone's opinion, maybe mine, maybe even yours, it doesn't matter. All that matters is that you said "wrong" and now we are arguing. You'll never change your mind, nor I mine. The readers though, and those rare but precious bestowers of mod points, those are the opinions to change.

      Were you or I part of a shill argument whereby two extreme views are argued while a third shill shifts the Hegelian dialectic via offering a more reasonable yet propaganda supporting middle ground, then I wouldn't even need to read your comment at all.

      That, my adversary, is Slashdot. It's not pretty, but it's the one I go home with, and so do you, because we all know that slut loves attention more than any one of us.

  8. A two factor device by Sycraft-fu · · Score: 4, Informative

    I know, only because where I work is using them. Idea is it is a general two factor token. Can be programmed by the end user or their org. Also in theory a lot of companies could all use their platform and you have one two factor device for everything but in reality you use it for whatever your company does and nothing else.

    Once programmed it acts like a HID class keyboard. You push the button, it spits out a string of characters, that being the two factor code for your account at the time.

    1. Re:A two factor device by TWX · · Score: 2

      Simply adding a hint of what you posted would have made the article summary work a whole lot better.

      --
      Do not look into laser with remaining eye.
    2. Re:A two factor device by rthille · · Score: 2

      I don't use it for the Yubikey auth stuff, I use it for my PGP/GPG key. My key was generated on the device, and can never leave it (firmware bugs aside), so I feel it's more secure than one where the private bit of the key is on a computer.

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    3. Re:A two factor device by PhrostyMcByte · · Score: 1

      Once programmed it acts like a HID class keyboard. You push the button, it spits out a string of characters, that being the two factor code for your account at the time.

      While this describes the original Yubikey, the Neo goes beyond that and acts as a legit security token / smart card which can perform various encryption functions. The only important thing it doesn't yet do is DH.

    4. Re:A two factor device by Anonymous Coward · · Score: 0

      Given the durability (or lack thereof) as demonstrated in the article, what happens when it breaks? Will you no longer be able to decrypt anything you have?

      dom

    5. Re:A two factor device by Chris+Mattern · · Score: 1

      The only important thing it doesn't yet do is DH.

      Then I guess it'll only be used in the National League.

    6. Re:A two factor device by Acid-Duck · · Score: 1

      The easy solution to that is to always have two ubikeys registered with all apps/sites and keep one in a safe location. One breaks, disable it and order a new one to replace it, after which you add it. Sure it requires some amount of work to maintain and it'll cost double what you expected to pay originally but what do you want? Good security ain't cheap. Redundancy is a must.

    7. Re:A two factor device by AmiMoJo · · Score: 1

      The problem with generating the key on the device is that you can't back it up. Well, there is another issue, you don't know how good the RNG is. The cops won't be able to break it but the NSA/GCHQ might.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:A two factor device by rthille · · Score: 1

      I don't feel they really demonstrated such, but yeah, I've got a backup in a safe place and encrypt stuff with both keys.
      Here's an anecdote to counter-example the article:
      https://twitter.com/drunky_bea...

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
  9. epoxy? by Anonymous Coward · · Score: 0, Interesting

    Why didn't they at least pot the thing in epoxy. Sure makes it a lot harder to tamper with.

    1. Re:epoxy? by FranTaylor · · Score: 2

      RTFM! it IS potted in epoxy. Guess what? Nasty solvents will dissolve epoxy!

    2. Re:epoxy? by fuzzyfuzzyfungus · · Score: 2

      Whatever they encased it in was on the seriously lightweight side. 30 minutes in acetone and the case dissolved right off, leaving the PCB and all the ICs and passives in pristine condition. That's not 'tampering', that's 'cleaning'; and the device appears to have rolled over and wagged its tail by way of resistance.

      If you are serious, you at least use the same stuff that the ICs are packaged in, which tends toward the 'black as sin and harder to remove' school of adhesives. Hot nitric acid will usually do the job; but you need to know what you are doing if you don't want it to remove the contents of the package at least as enthusiastically as it removes the package; since destroying the contents defeats the purpose of the exercise.

    3. Re:epoxy? by Anonymous Coward · · Score: 0

      going beyond that, Epoxy resin, or which type of Epoxy are you referring to??
      There are so many with different chemical properties.. Ups and downs, etc..
      So when u say epoxy, please be somewhat specific, as mentioned above "RTFM! it IS potted in epoxy. Guess what? Nasty solvents will dissolve epoxy!"
      To that end be careful what you ask for, you may actually get it, take a dip in Acetone, and actually get the expected result which is still dumb..

      www.hackaday.com
      bye 4 now

  10. Tamper evident by qwijibo · · Score: 5, Interesting

    From TFA: For those interested, FIPS140-2 Level 1 means that a device has at least one standard ("approved") security algorithm or function and Level 2 means that physical design is tamper-evident.

    He seems to think little of the product, but it appears to me it meets the requirements just fine. It's obvious that his key was tampered with, and nothing was done to try to extract key data from the device. Basically, he can take one apart, but there's little chance someone's going to take my Yubikey in the middle of the night, duplicate the key data, and put it back without me noticing something is wrong. Sure, the NSA could probably do it, but they can't have the time with listening to everyones grandmas phone calls. =)

  11. Slow news day :( by Anonymous Coward · · Score: 0

    Really guys,, Slow news day I guess..

    1. Re:Slow news day :( by Anonymous Coward · · Score: 0

      Shouldn't this be posted on www.hackaday.com?

  12. denial of service attack by FranTaylor · · Score: 1

    if you can damage the device so that the user cannot detect the damage by visual inspection, you can perpetrate a denial of service attack because the user will no longer be able to use it to restart the service, they will have no idea it is broken and the service will not be able to be restarted until a replacement key is made.

  13. Who is using this? by Hrrrg · · Score: 2

    I bought a couple of these keys a few years ago - they are still sitting around in a drawer somewhere. I wasn't too worried about the durability - it seems fine. When I tried it, my issues with were:

    1) Very few websites supported it, and those that did made it a pain to set up. Looking at their website, it is supported by gmail, lastpass, dropbox, evernote. I suppose there is a complete list of supported websites and I'm too lazy to go look for it. Any banks support this?
    2) Using it on Linux required installing additional software
    3) Too expensive - $18 - $50 each. That's fine if I only needed one, but if I have to buy a few in case I lose or break one, then buy a few for the wife and the kid, and then it is only supported by a few websites... Well, not worth it for me.
    4) The website is hard to read - written more for IT people than for the lay person. FIDO? OATH-TOPT? I've got no idea what they are talking about on most of their website. The "For Individuals" page is easy to read, but light on details and as soon as you leave it, you are in deep water. Also, can you get duplicate keys in case you lose one? I could never figure out this question from the website. Some sites like gmail allow you to associate more than one key. If there is a list of supported applications and websites, does it also state whether they allow a backup key? If the Yubico wants me to buy and use this thing, it needs to do the research for me and tell me exactly how and why I would want to use it. Something like this hypothetical example*:

    1) Buy a Yubikey Neo to use wirelessly with your phone. Keep it on your keychain. Use it to access Lastpass on your phone.
    2) Buy a Yubikey Standard for each computer at home and keep it plugged in. Associate it with the same Lastpass account as in #1 - for convenient use on your home computer and as a backup for the one on the keychain.
    3) Associate the home Yubikey's with every family member's Lastpass account so that the whole family could share them.

    *No idea if this scenerio is possible. Anyone? How would you use it with an ipad or iphone? (do the latest ones have NFC yet?)

    1. Re:Who is using this? by Anonymous Coward · · Score: 0

      The NEO is the one with NFC.

    2. Re:Who is using this? by homm2 · · Score: 1

      1) Very few websites supported it

      It's getting better, but this is still a problem. One option is to just set it up for LastPass and maybe Google. I agree that securing your online banking access would be a good idea, but very few bank websites support this.

      3) Too expensive - $18 - $50 each.

      If you just need a key for a desktop or laptop (no NFC), you can get a FIDO U2F key for $6. The downside is that LastPass doesn't support these yet (although they're working on it). Google already supports them.

      does it also state whether they allow a backup key?

      Yes, both LastPass and Google allow you to associate multiple Yubikeys with your account. So it's no problem to add your spouse's key to your account and vice versa, or to keep a backup key in the desk drawer and have that associated with multiple accounts.

      How would you use it with an ipad or iphone?

      Unfortunately, the iPhone 6 still isn't supported for use with the Neo, although they might add it in the future. I don't know about the iPad, but my guess is no. Any Android phone with NFC should support it already.

  14. I'm 12 years old and what is Yubikey by blind+biker · · Score: 1

    EOM

    --
    "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
    1. Re:I'm 12 years old and what is Yubikey by Anonymous Coward · · Score: 0

      I'll show you later.

  15. Use mine 20+ times a day by Average · · Score: 3, Informative

    Really addicted to mine. I have my private SSH key on there (via GPG/PGP), so that's never on my working machines. Use the standard OTP on several personally-run sites. Use U2F security for Google apps. Use the TOTP (a.k.a. Google Authenticator/Authy) app. Use the challenge-response mode as a second factor on my KeePass database. Amazing gadget.

    The question regarding the teardown is... "so"? Even with full pin access to the A7005 chip, you *STILL* wouldn't have access to my GPG/SSH private key or my TOTP generators within it. That's the point of a secure element. You'd have to dissolve the casing of the A7005 chip and have a decent microscope lab to get those bits of data out of the chip. You would be able to use my U2F/OTP/TOTP-generated-code functionality. But, you could do that just by stealing my Neo and plugging it into a USB slot without any acetone bath involved.

    1. Re:Use mine 20+ times a day by ledow · · Score: 1

      I work in schools, I'd love to move to key authentication to save all the "kids forgetting their password / stealing their friends password" hassle (physical items are more difficult to lose or "steal" without getting into more trouble!) but the costs are still FUCKING ludicrous for any such solution and two-thirds of that cost is just software and nothing to do with the devices at all. Still struggling to justify this:

      The software to put this into AD logins (which is what most businesses use to tie all their stuff together and do the simplest of logins) is $48/user. Plus $25/user for the key. That's nearly $30k just to get a small school logged on with the system. By the time you buy spares, train users, tie it into your systems, etc. you're looking at a $50k project at least. That's the IT budget gone. Just to replace a password with the simplest of login dongles.

      And when 2/3rds of that is software (not hardware) which you just have to hope is available for the next version of your OS (GINA logins went the way of the dodo already), works on the servers when you have an emergency and need to login, hope it works for things like kids logging into school websites from home (or even remote desktop, etc.)... it's stupendously expensive for such a simple thing.

      I can't justify paying that much for the one-off cost of writing the software to login.

      These ideas are great - would love to deploy them and will gladly pay a lot of money for them. But having the device isn't even 1% of the problem. The software, the ongoing compatibility, etc. consume most of the costs and there's no guarantee at all as the system expands.

      I'd much rather pay for the keys and then pay even a few thousand a year for some licensed software to sort out the in-between parts. But everything is either needing a smartcard reader on every PC (useless in tablet environments and remote logins from home) or - more likely - stupendously expensive software.

      Anyone know of a sensibly priced solution?

    2. Re:Use mine 20+ times a day by ledow · · Score: 1

      Show me how that works for Windows login without the exact software mentioned above?

      LDAP. Yes. AD login from Windows login screen? No.

  16. Given that I didn't post the summary by Sycraft-fu · · Score: 1

    There is little I can do in that regard.

  17. CVE-2015-3298 by Fweeky · · Score: 1

    In case anyone missed it, if you're using one for OpenPGP key use you might be vulnerable to a pin bypass attack. Details on how to check are on that page.

    If you have a vulnerable device, YubiCo will send you a free replacement upon request - just open a ticket with your serial and order numbers.

  18. Try pushing the button without holding it down by Anonymous Coward · · Score: 0

    The problem with the Yubi key is that it is too damn thin. I have to prop it up with my leg or use another finger to hold it up or my touch will register as multiple touches. A 3mm device simply doesn't securely fit into a USB port.