![]() ![]() > Yubikey should at least be able to rate limit attempts and erase its internal state if there are too many attempts. a political journalist, politician, activist) to just own more than one. For a random web site, they're likely going to offer some way back in - albeit Google is content to make that quite hard if you choose their "Advanced Protection" scheme (and I think one of the free Git offerings just says too bad, you gave us no money, you're locked out but you lost nothing of value), but an employer might very reasonably issue employees a Security Key and say something like, look, if you lose it that sucks but go to Front Desk with your Line Manager, and they can issue you a new one, there is no bypass.Īs a user, it also makes sense (particularly if you know you're a real target, e.g. For many users, that backup password will be the weak link, but a Yubikey should at least be able to rate limit attempts and erase its internal state if there are too many attempts.įor the WebAuthn scenario there is no inherent backup, there's deliberately no way to export the keys. scratch or damage), you will lose access to the key the Yubikey has protected, absent some kind of backup password. However if you lose either the token, or the ability to use that fingerprint (i.e. In this case, by combining the use of a biometric with strong cryptographic authentication through the token, you require both to compromise the user - no biometrics are shared with a server, it's all local. If not, you could delve deeper into the sensor until eventually you are able to inject capacitive data from the sensing surface itself, and do this. If you capture the wire signal between the fingerprint reader sensor and the module, it is likely that you could replay a valid authentication. This doesn't address the inherent problem of irrevocability/unchangeability of biometrics, but it presents an interesting usability trade-off that could help non-technical users to keep their systems more secure. In essence, you require both the Yubikey in question, and the information supplied by the fingerprint reader to the Yubikey, in order to abuse this system.įrom the perspective of a U2F token, which uses a regular button, this is an increase in security for most users - if their token is lost or stolen, or left in their device, someone cannot use their token by tapping the button. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |