[Security-discuss] [Architecture] YubiNews: Google Releases Support for FIDO U2F Powered YubiKeys

Steve Lee steve at opendirective.com
Thu Oct 23 12:02:52 EDT 2014


Great to hear there is NFC too

Steve Lee
OpenDirective http://opendirective.com

On 23 October 2014 16:49, Gregg Vanderheiden <gv at trace.wisc.edu> wrote:

> FYI
>
> we have talked with YubiKey  - and they have sent us sample YubiKeys to
> test  (they were distributed to key Arch members - no pun intended)
>
> they are based on open standards  (and their keys are both USB and NFC
> enabled)
>
> *gregg*
> --------------------------------------------------------
> Gregg Vanderheiden Ph.D.
> Director Trace R&D Center
> Professor Industrial & Systems Engineering
> and Biomedical Engineering University of Wisconsin-Madison
> Co-Director, Raising the Floor - International -
> http://Raisingthefloor.org
> and the Global Public Inclusive Infrastructure Project -  http://GPII.net
>
> On Oct 23, 2014, at 3:33 AM, Tony Atkins <tony at raisingthefloor.org> wrote:
>
> Hi, All:
>
> Yubikey obviously realized that many people would be concerned and
> published an article regarding BadUSB:
>
> https://www.yubico.com/2014/08/yubikey-badusb/
>
> In short, they are not an attack vector, as their firmware cannot be
> rewritten.  However, given that there are definitely other devices that can
> take advantage of the vulnerability, I would assume that lab maintainers
> might still hesitate to allow users to use a USB port at all.
>
> Cheers,
>
>
> Tony
>
> On Thu, Oct 23, 2014 at 10:24 AM, Tony Atkins <tony at raisingthefloor.org>
> wrote:
>
>> Hi, Gregg:
>>
>> Thanks for sharing the link.  This sounds like the kind of thing that
>> should be supported if it gains traction, but is not something we can
>> exclusively rely on, as it does not work at all for mobile. RFID and NFC
>> are a much better choice there.
>>
>> I'm also wondering how much lab maintainers are concerned about "bad USB":
>>
>> https://srlabs.de/badusb/
>> https://www.youtube.com/watch?v=nuruzFqMgIw
>>
>> If this gains traction in the wild, I would not be surprised if public
>> stations (one of our key use cases) limit access to USB ports to their
>> users until there are stronger safeguards.  Again, having a trusted NFC
>> reader installed by the lab owner is a better option here than allowing
>> arbitrary USB devices.
>>
>> For wider adoption, given that nearly all computers do not come with NFC
>> or RFID readers, cheap and easy to use USB devices that we can build on top
>> of are worth considering, especially since they already have a node module
>> to handle the authentication:
>>
>> https://www.npmjs.org/package/yub
>>
>> Has anyone purchased one of these to try out?  They're around the same
>> price as a low-end NFC ring, so it's not unreasonable to just get one and
>> do a bit of research.
>>
>> Cheers,
>>
>>
>> Tony
>>
>> On Wed, Oct 22, 2014 at 6:36 AM, Gregg Vanderheiden <gv at trace.wisc.edu>
>> wrote:
>>
>>>
>>>
>>> *gregg*
>>> --------------------------------------------------------
>>> Gregg Vanderheiden Ph.D.
>>> Director Trace R&D Center
>>> Professor Industrial & Systems Engineering
>>> and Biomedical Engineering University of Wisconsin-Madison
>>> Co-Director, Raising the Floor - International -
>>> http://Raisingthefloor.org <http://raisingthefloor.org/>
>>> and the Global Public Inclusive Infrastructure Project -
>>> http://GPII.net <http://gpii.net/>
>>>
>>> Begin forwarded message:
>>>
>>> *Subject: **YubiNews: Google Releases Support for FIDO U2F Powered
>>> YubiKeys*
>>> *From: *Yubico <newsletter at yubico.com>
>>> *Reply-To: *Yubico <newsletter at yubico.com>
>>> *To: * <gv at trace.wisc.edu>
>>> *Date: *October 21, 2014 at 8:11:08 AM CDT
>>>
>>> Google Releases Support for FIDO U2F Powered YubiKeysView this email in
>>> your browser
>>> <http://us4.campaign-archive1.com/?u=f089f8c003910ccc8b7308b56&id=4f9b1d479d&e=1e2e553ee9>Google
>>> Releases Support for FIDO U2F Powered YubiKeys
>>>
>>> YubiFriends,
>>>
>>> Today is a good day for the Internet.
>>>
>>> Now you can get your online Security Key at Amazon. A key that you own
>>> and control and that allows you to instantly and securely login to Google
>>> Accounts - and any number of service providers who choose to adopt FIDO
>>> Universal 2nd Factor authentication.
>>> As a driving contributor of FIDO U2F specifications, Yubico celebrates
>>> this event by releasing a new bright blue and U2F-only version of our
>>> YubiKey.
>>>
>>> More from our CEO & Founder, Stina Ehrensvard
>>> <http://yubico.us4.list-manage.com/track/click?u=f089f8c003910ccc8b7308b56&id=d00c32040b&e=1e2e553ee9>*Copyright
>>> © 2014 Yubico, All rights reserved.*
>>> You're receiving this email because you opted in at our website or
>>> during a purchase on our web store. If you wish to unsubscribe or update
>>> your subscription preferences, just click on the links below.
>>>
>>> unsubscribe from this list
>>> <http://yubico.us4.list-manage1.com/unsubscribe?u=f089f8c003910ccc8b7308b56&id=1583d0035b&e=1e2e553ee9&c=4f9b1d479d>
>>>     update subscription preferences
>>> <http://yubico.us4.list-manage1.com/profile?u=f089f8c003910ccc8b7308b56&id=1583d0035b&e=1e2e553ee9>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Architecture mailing list
>>> Architecture at lists.gpii.net
>>> http://lists.gpii.net/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>
> _______________________________________________
> Architecture mailing list
> Architecture at lists.gpii.net
> http://lists.gpii.net/cgi-bin/mailman/listinfo/architecture
>
>
>
> _______________________________________________
> Architecture mailing list
> Architecture at lists.gpii.net
> http://lists.gpii.net/cgi-bin/mailman/listinfo/architecture
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gpii.net/pipermail/security-discuss/attachments/20141023/0dcad28f/attachment-0001.html>


More information about the Security-discuss mailing list