Yubikey Support For 2 Factor Auth

[Syleron]

Title pretty much says it all.

 

Could we possibly see the Yubikey added to the list of supported 2 factor auth?

 

https://www.yubico.com

 

Best regards,

 

Andrew

[Michael]

Already is accepted: http://docs.blesta.com/display/user/Enabling+Two-Factor#EnablingTwo-Factor-ForYubiKey

[Syleron]

Ah brilliant!

 

Thanks.

[omaticon]

Is this on the roadmap for client accounts?

[Michael]

Is this on the roadmap for client accounts?

 

yes CORE-514 in 3.4

[Paul]

Client/Contact 2FA will use the QR code method. We recommend using the Google Authenticator app for Android/IOS. This keeps it simple for clients, it's free TOTP, easy to set up, difficult to get locked out. The 2FA requests a token before it will be saved.

[techhelper1]

I still don't see why implementing the "native" Yubikey support is being pushed off. 1 TOTP instance requires a slot in the Yubikey, why would I want to burn up the last slot in my Yubikey for that when I can use Authy in Chrome (which defeats the point of 2FA). Yes I can make myself go get my phone or tablet all the time but I'm lazy. The Yubikey is a simple device that someone *has* and a password is something one *knows*.

 

Now that I recently got the Yubikey NEO, I can program it with a PGP key and use it as a local smartcard for domain use or even make my own hardware based personal SSH key. The reason I bring that up is because that's a more universal purpose reason to use a slot instead of just a single TOTP instance.

 

Before someone brings up the argument saying that it's not secure, if you use LastPass, you're trusting your passwords (and possibly other data) in "the cloud" already.

 

The Yubikey OTP has been around since 2008, it's now 2015. A whole 8 years have passed and it hasn't been breached. Since the Yubikey will not give out it's 128-bit AES key, the only option is to breach the company anyways.

 

See page 16 of this PDF and read on about how the technology works (https://www.grc.com/sn/sn-143.pdf). (It's a transcript of an old Security Now! podcast episode.)

[Michael]

You can use the Yubikey already sure that's been said before.

[techhelper1]

You can use the Yubikey already sure that's been said before.

You can only use it with Blesta in TOTP forum. Which defeats the whole purpose of having it.

[Michael]

You can only use it with Blesta in TOTP forum. Which defeats the whole purpose of having it.

 

What the hell is the difference if you are using Yubikey, you are using Yubikey. It's not like some-one's going to steal it.

[techhelper1]

What the hell is the difference if you are using Yubikey, you are using Yubikey. It's not like some-one's going to steal it.

Oh... so someone isn't going to steal/break/ruin your smartphone or tablet? That's a lot easier to steal versus something that's on a keychain that's on me or within eyesight.

 

The difference is what technology is being used and how efficient it can be used on different platforms.

 

TL;DR If I wanted TOTP support, I would of got it setup but that's not what I'm asking here and no one seems to understand that.

[techhelper1]

Like I've said before, Authy (and probably others) can sync TOTP instances across devices (including computers) and not very many people set locks/passcodes on them to prevent access into it. In fact, I can make a 8Mhz 8-bit processor do TOTP, it's not rocket science. Bottom line, the Yubikey OTP is something that's physically needed and you can't get around it.

[Michael]

Oh... so someone isn't going to steal/break/ruin your smartphone or tablet? That's a lot easier to steal versus something that's on a keychain that's on me or within eyesight.

 

The difference is what technology is being used and how efficient it can be used on different platforms.

 

TL;DR If I wanted TOTP support, I would of got it setup but that's not what I'm asking here and no one seems to understand that.

 

https://www.yubico.com/products/yubikey-hardware/

OATH-TOTP requires a helper app, YubiTOTP; NFC is included on the larger, keychain form factor of the YubiKey NEO, however NFC is NOT included on the smaller form factor, the YubiKey NEO-n.

All YubiKey is, is a hardware key, leave it around and anyone can just use it.

[techhelper1]

Uhh... the same principle can apply to your phone or tablet if you walk away and I pick it up immediately after, most times the device will not require another unlock since its within the frequent timeframe. From what I remember Google Authenticator has no pin to protect it's TOTP's, Authy does but no one I know uses it or even knows about it.

 

What you don't seem to understand now is that the Yubikey itself is useless since it's the second factor of authentication just like TOTP. You still need the originating password to get the second stage.

With the TOTP configuration, the Yubikey just holds the key that the TOTP will generate off of, the helper app does the actual math and takes the system time to generate the resulting number.

[techhelper1]

The PHP API is written in a simple way to implement (https://github.com/Yubico/php-yubico). All it needs is a couple of fields added to the admin/user settings, a couple of columns added in the database and then include the API files itself. It's not rocket science to implement so I still don't see what the problem is.

[Cody]

The PHP API is written in a simple way to implement (https://github.com/Yubico/php-yubico). All it needs is a couple of fields added to the admin/user settings, a couple of columns added in the database and then include the API files itself. It's not rocket science to implement so I still don't see what the problem is.

 

Our position isn't that we don't want to implement Yubikey as a token. In fact, we plan on making some improvements to the authentication system to make it easier to extend (OAuth, LDAP come to mind). But we've got a lot of other things we want to accomplish before we consider this.