I recently obtained YubiKeys from Yubico. It's a USB hardware token able to act as a keyboard device to input characters (a HID) and also has a little button. It supports different modes:
- Yubico OTP Mode: Yubico implementation + server
- OATH-HOTP Mode: standard HOTP as per RFC 4226
- Static Password Mode: output the same static string
- Challenge Response Mode: no HID, software challenges the token and gets a response
Two-factor authentication
The typical use of this token is two-factor authentication. For instance the YubiKey is configured in OTP mode and when your authentication service asks you for OTP, you plug the device on USB, press the button and it inputs the OTP for you (HID, acting as a keyboard).Configuration
They offer a cross-platform (Windows, Mac and Linux) personalization tool (user guide). Quick way to start playing with the device.Hacking
This is the best part, Yubico products are well documented and there are various open source software and libraries in various languages (either by Yubico or third party):- yubikey-python: server library
- YubiServe: Python OATH-HOTP validation server
- yubico-c-client: C client library
- yubikey-personalization: tool (in C) to personalize YubiKey from command-line
- yubico-pam: PAM server module, and another
- python-yubico: library to talk to YubiKeys <= must!
- and more.
Example applications
With the server library, you can add two-factor authentication to your website. With the PAM module, you can add two-factor authentication to your SSH server. With static password you can use it like a sheet of paper to remember a strong password. But you can do much more up to your imagination, for instance:- YubiUnlock: use your YubiKey to unlock your workstation.
- YubiText: use your YubiKey to input text, without static password mode.
No comments:
Post a Comment