tag:blogger.com,1999:blog-9099779.post6813700380327699413..comments2024-03-23T23:09:17.426+01:00Comments on StalkR's Blog: YubiText and 3-factor password authenticationStalkRhttp://www.blogger.com/profile/15113480981262771031noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9099779.post-50690071747923498032012-04-16T20:11:12.359+02:002012-04-16T20:11:12.359+02:00SSH/GPG: yes it would be possible. But in this cas...SSH/GPG: yes it would be possible. But in this case I would go for SmartCard to store key and use pkcs11 so that the key never goes out.<br /><br />Boot password: yes it would work, it's a good idea but you need to buy as many tokens.<br /><br />OTP: in this program I am not using the token in OTP mode, so it's not 1) nor 2). I use it directly for hmac in challenge-response mode.<br /><br />If you want, you can also catch me on IRC to talk more about it.StalkRhttps://www.blogger.com/profile/15113480981262771031noreply@blogger.comtag:blogger.com,1999:blog-9099779.post-85898783298473320952012-04-11T13:08:56.460+02:002012-04-11T13:08:56.460+02:00Thanks for your writings on this new security toke...Thanks for your writings on this new security token StalkR.<br /><br />Isn't it possible to have the yubikey contain an SSH/GPG fingerprint, and the software that runs on plugging that verifies fingerprint- and verifies that the user can enter the code for this private key (on his computer) .. To enable user-space functionality ?<br /><br />And for the boot password- I think it would be cool to make a "pandora's" box token. You would be able to program each key yourself- (some chars multiply characters, some does other operations) .. So you can remember the pattern- but not the actual code yourself, which is VERY long, because of the multiplying keys ..<br /><br />I'm very excited to hear more about how you go about securing your yubikey ..<br /><br />How does the one-time-passwords work ?<br /><br />1. You implement the one-time-password with API.<br /><br />2. Your yubikey ID is found @ yubi servers and OTP can be verified with this specific device-ID against all OTPs where one needs to match?w0lfnoreply@blogger.com