[Security-discuss] [Architecture] Fwd: YubiNews: Google Releases Support for FIDO U2F Powered YubiKeys

Tony Atkins tony at raisingthefloor.org
Thu Oct 23 04:33:22 EDT 2014


Hi, All:

Yubikey obviously realized that many people would be concerned and
published an article regarding BadUSB:

https://www.yubico.com/2014/08/yubikey-badusb/

In short, they are not an attack vector, as their firmware cannot be
rewritten.  However, given that there are definitely other devices that can
take advantage of the vulnerability, I would assume that lab maintainers
might still hesitate to allow users to use a USB port at all.

Cheers,


Tony

On Thu, Oct 23, 2014 at 10:24 AM, Tony Atkins <tony at raisingthefloor.org>
wrote:

> Hi, Gregg:
>
> Thanks for sharing the link.  This sounds like the kind of thing that
> should be supported if it gains traction, but is not something we can
> exclusively rely on, as it does not work at all for mobile. RFID and NFC
> are a much better choice there.
>
> I'm also wondering how much lab maintainers are concerned about "bad USB":
>
> https://srlabs.de/badusb/
> https://www.youtube.com/watch?v=nuruzFqMgIw
>
> If this gains traction in the wild, I would not be surprised if public
> stations (one of our key use cases) limit access to USB ports to their
> users until there are stronger safeguards.  Again, having a trusted NFC
> reader installed by the lab owner is a better option here than allowing
> arbitrary USB devices.
>
> For wider adoption, given that nearly all computers do not come with NFC
> or RFID readers, cheap and easy to use USB devices that we can build on top
> of are worth considering, especially since they already have a node module
> to handle the authentication:
>
> https://www.npmjs.org/package/yub
>
> Has anyone purchased one of these to try out?  They're around the same
> price as a low-end NFC ring, so it's not unreasonable to just get one and
> do a bit of research.
>
> Cheers,
>
>
> Tony
>
> On Wed, Oct 22, 2014 at 6:36 AM, Gregg Vanderheiden <gv at trace.wisc.edu>
> wrote:
>
>>
>>
>> *gregg*
>> --------------------------------------------------------
>> Gregg Vanderheiden Ph.D.
>> Director Trace R&D Center
>> Professor Industrial & Systems Engineering
>> and Biomedical Engineering University of Wisconsin-Madison
>> Co-Director, Raising the Floor - International -
>> http://Raisingthefloor.org
>> and the Global Public Inclusive Infrastructure Project -  http://GPII.net
>>
>> Begin forwarded message:
>>
>> *Subject: **YubiNews: Google Releases Support for FIDO U2F Powered
>> YubiKeys*
>> *From: *Yubico <newsletter at yubico.com>
>> *Reply-To: *Yubico <newsletter at yubico.com>
>> *To: * <gv at trace.wisc.edu>
>> *Date: *October 21, 2014 at 8:11:08 AM CDT
>>
>> Google Releases Support for FIDO U2F Powered YubiKeysView this email in
>> your browser
>> <http://us4.campaign-archive1.com/?u=f089f8c003910ccc8b7308b56&id=4f9b1d479d&e=1e2e553ee9>Google
>> Releases Support for FIDO U2F Powered YubiKeys
>>
>> YubiFriends,
>>
>> Today is a good day for the Internet.
>>
>> Now you can get your online Security Key at Amazon. A key that you own
>> and control and that allows you to instantly and securely login to Google
>> Accounts - and any number of service providers who choose to adopt FIDO
>> Universal 2nd Factor authentication.
>> As a driving contributor of FIDO U2F specifications, Yubico celebrates
>> this event by releasing a new bright blue and U2F-only version of our
>> YubiKey.
>>
>> More from our CEO & Founder, Stina Ehrensvard
>> <http://yubico.us4.list-manage.com/track/click?u=f089f8c003910ccc8b7308b56&id=d00c32040b&e=1e2e553ee9>*Copyright
>> © 2014 Yubico, All rights reserved.*
>> You're receiving this email because you opted in at our website or during
>> a purchase on our web store. If you wish to unsubscribe or update your
>> subscription preferences, just click on the links below.
>>
>> unsubscribe from this list
>> <http://yubico.us4.list-manage1.com/unsubscribe?u=f089f8c003910ccc8b7308b56&id=1583d0035b&e=1e2e553ee9&c=4f9b1d479d>
>>     update subscription preferences
>> <http://yubico.us4.list-manage1.com/profile?u=f089f8c003910ccc8b7308b56&id=1583d0035b&e=1e2e553ee9>
>>
>>
>>
>>
>> _______________________________________________
>> Architecture mailing list
>> Architecture at lists.gpii.net
>> http://lists.gpii.net/cgi-bin/mailman/listinfo/architecture
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gpii.net/pipermail/security-discuss/attachments/20141023/21ff0c94/attachment-0001.html>


More information about the Security-discuss mailing list