[Security-discuss] [Architecture] YubiNews: Google Releases Support for FIDO U2F Powered YubiKeys

Gregg Vanderheiden gv at trace.wisc.edu
Thu Oct 23 13:27:43 EDT 2014


hmmmmm

I got to thinking about the little guy - and didn’t see how it could have an antennae in that small space 

so I checked it


>  the large (normal thin USB type) has NFC
>  but the tiny guy does NOT have NFC


The NFC in the YubiKey is not supported by our reader but that isn’t surprising since it is not a simple NFC device



gregg
--------------------------------------------------------
Gregg Vanderheiden Ph.D.
Director Trace R&D Center
Professor Industrial & Systems Engineering
and Biomedical Engineering University of Wisconsin-Madison
Co-Director, Raising the Floor - International - http://Raisingthefloor.org <http://raisingthefloor.org/>
and the Global Public Inclusive Infrastructure Project -  http://GPII.net <http://gpii.net/>
> On Oct 23, 2014, at 11:12 AM, Tony Atkins <tony at raisingthefloor.org> wrote:
> 
> Ah, great, the NFC support wasn't clear from the product description.  Is there a particular model needed for that?
> 
> Cheers,
> 
> 
> Tony
> 
> On Thu, Oct 23, 2014 at 5:49 PM, Gregg Vanderheiden <gv at trace.wisc.edu <mailto:gv at trace.wisc.edu>> wrote:
> FYI
> 
> we have talked with YubiKey  - and they have sent us sample YubiKeys to test  (they were distributed to key Arch members - no pun intended)
> 
> they are based on open standards  (and their keys are both USB and NFC enabled) 
> 
> gregg
> --------------------------------------------------------
> Gregg Vanderheiden Ph.D.
> Director Trace R&D Center
> Professor Industrial & Systems Engineering
> and Biomedical Engineering University of Wisconsin-Madison
> Co-Director, Raising the Floor - International - http://Raisingthefloor.org <http://raisingthefloor.org/>
> and the Global Public Inclusive Infrastructure Project -  http://GPII.net <http://gpii.net/>
>> On Oct 23, 2014, at 3:33 AM, Tony Atkins <tony at raisingthefloor.org <mailto:tony at raisingthefloor.org>> wrote:
>> 
>> Hi, All:
>> 
>> Yubikey obviously realized that many people would be concerned and published an article regarding BadUSB:
>> 
>> https://www.yubico.com/2014/08/yubikey-badusb/ <https://www.yubico.com/2014/08/yubikey-badusb/>
>> 
>> In short, they are not an attack vector, as their firmware cannot be rewritten.  However, given that there are definitely other devices that can take advantage of the vulnerability, I would assume that lab maintainers might still hesitate to allow users to use a USB port at all.
>> 
>> Cheers,
>> 
>> 
>> Tony
>> 
>> On Thu, Oct 23, 2014 at 10:24 AM, Tony Atkins <tony at raisingthefloor.org <mailto:tony at raisingthefloor.org>> wrote:
>> Hi, Gregg:
>> 
>> Thanks for sharing the link.  This sounds like the kind of thing that should be supported if it gains traction, but is not something we can exclusively rely on, as it does not work at all for mobile. RFID and NFC are a much better choice there.
>> 
>> I'm also wondering how much lab maintainers are concerned about "bad USB":
>> 
>> https://srlabs.de/badusb/ <https://srlabs.de/badusb/>
>> https://www.youtube.com/watch?v=nuruzFqMgIw <https://www.youtube.com/watch?v=nuruzFqMgIw>
>> 
>> If this gains traction in the wild, I would not be surprised if public stations (one of our key use cases) limit access to USB ports to their users until there are stronger safeguards.  Again, having a trusted NFC reader installed by the lab owner is a better option here than allowing arbitrary USB devices.
>> 
>> For wider adoption, given that nearly all computers do not come with NFC or RFID readers, cheap and easy to use USB devices that we can build on top of are worth considering, especially since they already have a node module to handle the authentication:
>> 
>> https://www.npmjs.org/package/yub <https://www.npmjs.org/package/yub>
>> 
>> Has anyone purchased one of these to try out?  They're around the same price as a low-end NFC ring, so it's not unreasonable to just get one and do a bit of research.
>> 
>> Cheers,
>> 
>> 
>> Tony
>> 
>> On Wed, Oct 22, 2014 at 6:36 AM, Gregg Vanderheiden <gv at trace.wisc.edu <mailto:gv at trace.wisc.edu>> wrote:
>> 
>> 
>> gregg
>> --------------------------------------------------------
>> Gregg Vanderheiden Ph.D.
>> Director Trace R&D Center
>> Professor Industrial & Systems Engineering
>> and Biomedical Engineering University of Wisconsin-Madison
>> Co-Director, Raising the Floor - International - http://Raisingthefloor.org <http://raisingthefloor.org/>
>> and the Global Public Inclusive Infrastructure Project -  http://GPII.net <http://gpii.net/>
>> 
>>> Begin forwarded message:
>>> 
>>> Subject: YubiNews: Google Releases Support for FIDO U2F Powered YubiKeys
>>> From: Yubico <newsletter at yubico.com <mailto:newsletter at yubico.com>>
>>> Reply-To: Yubico <newsletter at yubico.com <mailto:newsletter at yubico.com>>
>>> To: <gv at trace.wisc.edu <mailto:gv at trace.wisc.edu>>
>>> Date: October 21, 2014 at 8:11:08 AM CDT
>>> 
>>> Google Releases Support for FIDO U2F Powered YubiKeys
>>> View this email in your browser <http://us4.campaign-archive1.com/?u=f089f8c003910ccc8b7308b56&id=4f9b1d479d&e=1e2e553ee9>
>>> 
>>> Google Releases Support for FIDO U2F Powered YubiKeys
>>> YubiFriends,
>>> 
>>> Today is a good day for the Internet.
>>> 
>>> Now you can get your online Security Key at Amazon. A key that you own and control and that allows you to instantly and securely login to Google Accounts - and any number of service providers who choose to adopt FIDO Universal 2nd Factor authentication.
>>> 
>>> As a driving contributor of FIDO U2F specifications, Yubico celebrates this event by releasing a new bright blue and U2F-only version of our YubiKey.
>>> 
>>> More from our CEO & Founder, Stina Ehrensvard <http://yubico.us4.list-manage.com/track/click?u=f089f8c003910ccc8b7308b56&id=d00c32040b&e=1e2e553ee9>
>>> 
>>> Copyright © 2014 Yubico, All rights reserved.
>>> You're receiving this email because you opted in at our website or during a purchase on our web store. If you wish to unsubscribe or update your subscription preferences, just click on the links below.
>>> 
>>> unsubscribe from this list <http://yubico.us4.list-manage1.com/unsubscribe?u=f089f8c003910ccc8b7308b56&id=1583d0035b&e=1e2e553ee9&c=4f9b1d479d>    update subscription preferences <http://yubico.us4.list-manage1.com/profile?u=f089f8c003910ccc8b7308b56&id=1583d0035b&e=1e2e553ee9> 
>>> 
>>> 
>> 
>> 
>> _______________________________________________
>> Architecture mailing list
>> Architecture at lists.gpii.net <mailto:Architecture at lists.gpii.net>
>> http://lists.gpii.net/cgi-bin/mailman/listinfo/architecture <http://lists.gpii.net/cgi-bin/mailman/listinfo/architecture>
>> 
>> 
>> 
>> _______________________________________________
>> Architecture mailing list
>> Architecture at lists.gpii.net <mailto:Architecture at lists.gpii.net>
>> http://lists.gpii.net/cgi-bin/mailman/listinfo/architecture <http://lists.gpii.net/cgi-bin/mailman/listinfo/architecture>
> 
> 
> _______________________________________________
> Architecture mailing list
> Architecture at lists.gpii.net
> http://lists.gpii.net/cgi-bin/mailman/listinfo/architecture

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gpii.net/pipermail/security-discuss/attachments/20141023/8afbc445/attachment-0001.html>


More information about the Security-discuss mailing list