[Security-discuss] [Architecture] YubiNews: Google Releases Support for FIDO U2F Powered YubiKeys

Steve Lee steve at opendirective.com
Tue Oct 28 02:34:37 EDT 2014


Great!

Steve Lee
OpenDirective http://opendirective.com

On 28 October 2014 03:43, Steven Githens <swgithen at mtu.edu> wrote:

> Steve,
>
> I’m fiddling with my Yubikey Neo on this issue now, and should hopefully
> have diagnostics for you soon.  :)
>
> -Steve
>
> On Oct 23, 2014, at 5:31 PM, Steve Lee <steve at opendirective.com> wrote:
>
> Id be intetesyed in seeing the windows listener diagnostic window output.
> You should be able to cut n paste it.
>
> Steve
>
> Autocomplete may have messed with my text
> On 23 Oct 2014 18:32, "Gregg Vanderheiden" <gv at trace.wisc.edu> wrote:
>
>> actually, to be more accurate.   Our USB Programming App   says
>> “unsupported Type”
>>
>> and our listener detects it.
>>
>> So it is detected and "somewhat readable”  but it is ‘indecipherable’
>>  I guess you would say.
>>
>> All I have.  I gave samples to Steve and Colin and maybe Kasper - so they
>> might have more.
>>
>> *gregg*
>> --------------------------------------------------------
>> Gregg Vanderheiden Ph.D.
>> Director Trace R&D Center
>> Professor Industrial & Systems Engineering
>> and Biomedical Engineering University of Wisconsin-Madison
>> Co-Director, Raising the Floor - International -
>> http://Raisingthefloor.org <http://raisingthefloor.org/>
>> and the Global Public Inclusive Infrastructure Project -  http://GPII.net
>> <http://gpii.net/>
>>
>> On Oct 23, 2014, at 11:12 AM, Tony Atkins <tony at raisingthefloor.org>
>> wrote:
>>
>> Ah, great, the NFC support wasn't clear from the product description.  Is
>> there a particular model needed for that?
>>
>> Cheers,
>>
>>
>> Tony
>>
>> On Thu, Oct 23, 2014 at 5:49 PM, Gregg Vanderheiden <gv at trace.wisc.edu>
>> wrote:
>>
>>> FYI
>>>
>>> we have talked with YubiKey  - and they have sent us sample YubiKeys to
>>> test  (they were distributed to key Arch members - no pun intended)
>>>
>>> they are based on open standards  (and their keys are both USB and NFC
>>> enabled)
>>>
>>> *gregg*
>>> --------------------------------------------------------
>>> Gregg Vanderheiden Ph.D.
>>> Director Trace R&D Center
>>> Professor Industrial & Systems Engineering
>>> and Biomedical Engineering University of Wisconsin-Madison
>>> Co-Director, Raising the Floor - International -
>>> http://Raisingthefloor.org <http://raisingthefloor.org/>
>>> and the Global Public Inclusive Infrastructure Project -
>>> http://GPII.net <http://gpii.net/>
>>>
>>> On Oct 23, 2014, at 3:33 AM, Tony Atkins <tony at raisingthefloor.org>
>>> wrote:
>>>
>>> Hi, All:
>>>
>>> Yubikey obviously realized that many people would be concerned and
>>> published an article regarding BadUSB:
>>>
>>> https://www.yubico.com/2014/08/yubikey-badusb/
>>>
>>> In short, they are not an attack vector, as their firmware cannot be
>>> rewritten.  However, given that there are definitely other devices that can
>>> take advantage of the vulnerability, I would assume that lab maintainers
>>> might still hesitate to allow users to use a USB port at all.
>>>
>>> Cheers,
>>>
>>>
>>> Tony
>>>
>>> On Thu, Oct 23, 2014 at 10:24 AM, Tony Atkins <tony at raisingthefloor.org>
>>> wrote:
>>>
>>>> Hi, Gregg:
>>>>
>>>> Thanks for sharing the link.  This sounds like the kind of thing that
>>>> should be supported if it gains traction, but is not something we can
>>>> exclusively rely on, as it does not work at all for mobile. RFID and NFC
>>>> are a much better choice there.
>>>>
>>>> I'm also wondering how much lab maintainers are concerned about "bad
>>>> USB":
>>>>
>>>> https://srlabs.de/badusb/
>>>> https://www.youtube.com/watch?v=nuruzFqMgIw
>>>>
>>>> If this gains traction in the wild, I would not be surprised if public
>>>> stations (one of our key use cases) limit access to USB ports to their
>>>> users until there are stronger safeguards.  Again, having a trusted NFC
>>>> reader installed by the lab owner is a better option here than allowing
>>>> arbitrary USB devices.
>>>>
>>>> For wider adoption, given that nearly all computers do not come with
>>>> NFC or RFID readers, cheap and easy to use USB devices that we can build on
>>>> top of are worth considering, especially since they already have a node
>>>> module to handle the authentication:
>>>>
>>>> https://www.npmjs.org/package/yub
>>>>
>>>> Has anyone purchased one of these to try out?  They're around the same
>>>> price as a low-end NFC ring, so it's not unreasonable to just get one and
>>>> do a bit of research.
>>>>
>>>> Cheers,
>>>>
>>>>
>>>> Tony
>>>>
>>>> On Wed, Oct 22, 2014 at 6:36 AM, Gregg Vanderheiden <gv at trace.wisc.edu>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> *gregg*
>>>>> --------------------------------------------------------
>>>>> Gregg Vanderheiden Ph.D.
>>>>> Director Trace R&D Center
>>>>> Professor Industrial & Systems Engineering
>>>>> and Biomedical Engineering University of Wisconsin-Madison
>>>>> Co-Director, Raising the Floor - International -
>>>>> http://Raisingthefloor.org <http://raisingthefloor.org/>
>>>>> and the Global Public Inclusive Infrastructure Project -
>>>>> http://GPII.net <http://gpii.net/>
>>>>>
>>>>> Begin forwarded message:
>>>>>
>>>>> *Subject: **YubiNews: Google Releases Support for FIDO U2F Powered
>>>>> YubiKeys*
>>>>> *From: *Yubico <newsletter at yubico.com>
>>>>> *Reply-To: *Yubico <newsletter at yubico.com>
>>>>> *To: * <gv at trace.wisc.edu>
>>>>> *Date: *October 21, 2014 at 8:11:08 AM CDT
>>>>>
>>>>> Google Releases Support for FIDO U2F Powered YubiKeysView this email
>>>>> in your browser
>>>>> <http://us4.campaign-archive1.com/?u=f089f8c003910ccc8b7308b56&id=4f9b1d479d&e=1e2e553ee9>Google
>>>>> Releases Support for FIDO U2F Powered YubiKeys
>>>>>
>>>>> YubiFriends,
>>>>>
>>>>> Today is a good day for the Internet.
>>>>>
>>>>> Now you can get your online Security Key at Amazon. A key that you own
>>>>> and control and that allows you to instantly and securely login to Google
>>>>> Accounts - and any number of service providers who choose to adopt FIDO
>>>>> Universal 2nd Factor authentication.
>>>>> As a driving contributor of FIDO U2F specifications, Yubico celebrates
>>>>> this event by releasing a new bright blue and U2F-only version of our
>>>>> YubiKey.
>>>>>
>>>>> More from our CEO & Founder, Stina Ehrensvard
>>>>> <http://yubico.us4.list-manage.com/track/click?u=f089f8c003910ccc8b7308b56&id=d00c32040b&e=1e2e553ee9>*Copyright
>>>>> © 2014 Yubico, All rights reserved.*
>>>>> You're receiving this email because you opted in at our website or
>>>>> during a purchase on our web store. If you wish to unsubscribe or update
>>>>> your subscription preferences, just click on the links below.
>>>>>
>>>>> unsubscribe from this list
>>>>> <http://yubico.us4.list-manage1.com/unsubscribe?u=f089f8c003910ccc8b7308b56&id=1583d0035b&e=1e2e553ee9&c=4f9b1d479d>
>>>>>     update subscription preferences
>>>>> <http://yubico.us4.list-manage1.com/profile?u=f089f8c003910ccc8b7308b56&id=1583d0035b&e=1e2e553ee9>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Architecture mailing list
>>>>> Architecture at lists.gpii.net
>>>>> http://lists.gpii.net/cgi-bin/mailman/listinfo/architecture
>>>>>
>>>>>
>>>>
>>> _______________________________________________
>>> Architecture mailing list
>>> Architecture at lists.gpii.net
>>> http://lists.gpii.net/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>>
>> _______________________________________________
>> Architecture mailing list
>> Architecture at lists.gpii.net
>> http://lists.gpii.net/cgi-bin/mailman/listinfo/architecture
>>
>>
>>
>> _______________________________________________
>> Architecture mailing list
>> Architecture at lists.gpii.net
>> http://lists.gpii.net/cgi-bin/mailman/listinfo/architecture
>>
>> _______________________________________________
> Architecture mailing list
> Architecture at lists.gpii.net
> http://lists.gpii.net/cgi-bin/mailman/listinfo/architecture
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gpii.net/pipermail/security-discuss/attachments/20141028/7572172d/attachment-0001.html>


More information about the Security-discuss mailing list