[HN Gopher] Show HN: A virtual Yubikey device for 2FA/WebAuthN
___________________________________________________________________
Show HN: A virtual Yubikey device for 2FA/WebAuthN
Author : cmdli
Score : 32 points
Date : 2022-09-17 21:52 UTC (1 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| iudqnolq wrote:
| I can't figure out why I'd want a Yubikey.
|
| Every year or so I try to figure out if a 2fa device practically
| has sufficient support that using it would improve my security.
| The answer has always been no.
|
| No 2fa device has sufficient support that it could increase the
| security of my 1password account, which I use on Linux and
| Android. No 2fa device has sufficient support that it could be
| used to unlock the lockscreen of any of my devices either.
|
| Edit: There is a way to use a Yubikey to decrypt Linux full-disk
| encryption. It relies on an abandoned personal GitHub project.
| Sounds fun, but not sufficiently secure it's worth spending more
| than $100 to allegedly improve my security with it.
| hamandcheese wrote:
| > No 2fa device has sufficient support that it could be used to
| unlock the lockscreen of any of my devices either.
|
| Remember, 2fa is your _second_ factor. It's right there in the
| acronym. It is there to protect against a bad actor stealing
| your password.
|
| By definition, a second factor won't improve the ergonomics of
| logging in.
| warent wrote:
| I think a huge benefit of 2fa, one of the main purposes of it,
| was for securing accounts with weak passwords. Back in the days
| before password managers etc. I think these days password
| managers actually deprecate the need for 2fa
| askvictor wrote:
| Multiple layers are always better. If your computer or
| browser is compromised, then your password manager's secrets
| have been pwned, but with 2FA your accounts are still safe
| (assuming the 2FA is on a separate device, which it really
| should be)
|
| There's also user stupidity. It's pretty hard to convince
| users to use a password manager; plenty of people still re-
| use the same password across sites. It's impossible to
| prevent that. But it is possible to enforce 2FA for _your_
| site.
| dilyevsky wrote:
| Wrong - mfa is to prevent credentials stuffing mostly
| TrueGeek wrote:
| Every now and then you hear about a leak at some company that
| was storing passwords in clear text. Thanks to password
| managers this only affects that one site, but it still makes
| me thankful for 2FA.
| iudqnolq wrote:
| I don't understand the threat model there. Wouldn't nearly
| all hacks that lead to plain text passwords also allow the
| hacker to access all the login-protected data, making a
| more secure login process pointless?
| ivanhoe wrote:
| Can you define what do you mean by sufficient support?
| iudqnolq wrote:
| Sure: Enough support so that my life becomes either easier or
| more secure.
|
| I know that's a bit wishy-washy, but for example I think I
| could replace my memorized 1password password with something
| longer if I never had to enter it from memory, which would
| only be the case if I could use the Yubikey on all my
| devices.
| lddemi wrote:
| Fun demo but who is this really for? Is there a requirement for
| these devices anywhere aside from corporate security?
| cmdli wrote:
| Personally, I prefer the "approval" process of YubiKey/U2F
| devices over having to enter a code, but I also dislike having
| to have a hardware device on me at all times. Also, with
| WebAuthN and passwordless login, YubiKeys are now able to be
| used to authenticate people, so I figure it would be nice to
| have a software solution for that.
|
| Granted, this is still just a demo, so it's a long way off from
| something somebody would regularly use.
| altairprime wrote:
| This is primarily of use to people who want to disregard
| hardware authenticator requirements imposed by third parties
| without their consent.
| MrStonedOne wrote:
| dspillett wrote:
| _> Fun demo but who is this really for?_
|
| Would being able to create virtual devices like this be more
| useful for testing authentication flows, compared to having
| physical test devices?
| convolvatron wrote:
| this might help w/ adoption. it would be _really nice_ to use
| FIDO, but I don't want to restrict my usability to people
| willing to carry a key around. as a compromise I think having
| a weaker key is better than having paths where pki is
| disabled
| stavros wrote:
| This is fantastic. Did you make this, cmdii? Why does it need to
| persist files locally? I thought that all that's necessary is the
| key. Is it for resident keys?
|
| I'd like a virtual FIDO2 device where I have to type a
| password/passphrase when I launch it, and it derives a FIDO2 key
| from the passphrase. That way, I can have my 2FA device with me
| in my head, and still get all the anti-phishing benefits of
| WebAuthn.
|
| Certainly, it's much easier for the passphrase to be
| stolen/keylogged, but it's a nice option to have.
| cmdli wrote:
| Yup, I built this. The file storage is only for the
| FIDO2/WebAuthN device, which generates large private keys for
| each credential; the U2F device keys are small enough that they
| are actually encrypted/stored in the key identifier that is
| passed in by the client.
|
| I'm currently working on trying to expand this out with new
| features, as most of the work here was actually emulating the
| USB device which involved a lot of different layers of
| protocols.
___________________________________________________________________
(page generated 2022-09-17 23:00 UTC)