[HN Gopher] Show HN: A virtual Yubikey device for 2FA/WebAuthN ___________________________________________________________________ Show HN: A virtual Yubikey device for 2FA/WebAuthN Author : cmdli Score : 32 points Date : 2022-09-17 21:52 UTC (1 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | iudqnolq wrote: | I can't figure out why I'd want a Yubikey. | | Every year or so I try to figure out if a 2fa device practically | has sufficient support that using it would improve my security. | The answer has always been no. | | No 2fa device has sufficient support that it could increase the | security of my 1password account, which I use on Linux and | Android. No 2fa device has sufficient support that it could be | used to unlock the lockscreen of any of my devices either. | | Edit: There is a way to use a Yubikey to decrypt Linux full-disk | encryption. It relies on an abandoned personal GitHub project. | Sounds fun, but not sufficiently secure it's worth spending more | than $100 to allegedly improve my security with it. | hamandcheese wrote: | > No 2fa device has sufficient support that it could be used to | unlock the lockscreen of any of my devices either. | | Remember, 2fa is your _second_ factor. It's right there in the | acronym. It is there to protect against a bad actor stealing | your password. | | By definition, a second factor won't improve the ergonomics of | logging in. | warent wrote: | I think a huge benefit of 2fa, one of the main purposes of it, | was for securing accounts with weak passwords. Back in the days | before password managers etc. I think these days password | managers actually deprecate the need for 2fa | askvictor wrote: | Multiple layers are always better. If your computer or | browser is compromised, then your password manager's secrets | have been pwned, but with 2FA your accounts are still safe | (assuming the 2FA is on a separate device, which it really | should be) | | There's also user stupidity. It's pretty hard to convince | users to use a password manager; plenty of people still re- | use the same password across sites. It's impossible to | prevent that. But it is possible to enforce 2FA for _your_ | site. | dilyevsky wrote: | Wrong - mfa is to prevent credentials stuffing mostly | TrueGeek wrote: | Every now and then you hear about a leak at some company that | was storing passwords in clear text. Thanks to password | managers this only affects that one site, but it still makes | me thankful for 2FA. | iudqnolq wrote: | I don't understand the threat model there. Wouldn't nearly | all hacks that lead to plain text passwords also allow the | hacker to access all the login-protected data, making a | more secure login process pointless? | ivanhoe wrote: | Can you define what do you mean by sufficient support? | iudqnolq wrote: | Sure: Enough support so that my life becomes either easier or | more secure. | | I know that's a bit wishy-washy, but for example I think I | could replace my memorized 1password password with something | longer if I never had to enter it from memory, which would | only be the case if I could use the Yubikey on all my | devices. | lddemi wrote: | Fun demo but who is this really for? Is there a requirement for | these devices anywhere aside from corporate security? | cmdli wrote: | Personally, I prefer the "approval" process of YubiKey/U2F | devices over having to enter a code, but I also dislike having | to have a hardware device on me at all times. Also, with | WebAuthN and passwordless login, YubiKeys are now able to be | used to authenticate people, so I figure it would be nice to | have a software solution for that. | | Granted, this is still just a demo, so it's a long way off from | something somebody would regularly use. | altairprime wrote: | This is primarily of use to people who want to disregard | hardware authenticator requirements imposed by third parties | without their consent. | MrStonedOne wrote: | dspillett wrote: | _> Fun demo but who is this really for?_ | | Would being able to create virtual devices like this be more | useful for testing authentication flows, compared to having | physical test devices? | convolvatron wrote: | this might help w/ adoption. it would be _really nice_ to use | FIDO, but I don't want to restrict my usability to people | willing to carry a key around. as a compromise I think having | a weaker key is better than having paths where pki is | disabled | stavros wrote: | This is fantastic. Did you make this, cmdii? Why does it need to | persist files locally? I thought that all that's necessary is the | key. Is it for resident keys? | | I'd like a virtual FIDO2 device where I have to type a | password/passphrase when I launch it, and it derives a FIDO2 key | from the passphrase. That way, I can have my 2FA device with me | in my head, and still get all the anti-phishing benefits of | WebAuthn. | | Certainly, it's much easier for the passphrase to be | stolen/keylogged, but it's a nice option to have. | cmdli wrote: | Yup, I built this. The file storage is only for the | FIDO2/WebAuthN device, which generates large private keys for | each credential; the U2F device keys are small enough that they | are actually encrypted/stored in the key identifier that is | passed in by the client. | | I'm currently working on trying to expand this out with new | features, as most of the work here was actually emulating the | USB device which involved a lot of different layers of | protocols. ___________________________________________________________________ (page generated 2022-09-17 23:00 UTC)