Question

I've just picked up a YubiKey. However, the demo Yubico redirect you to is served over...

I've just picked up a YubiKey.

However, the demo Yubico redirect you to is served over plain HTTP, over which each OTP you generate during the demo is POSTed, enabling you to verify that your key is working properly. The first group of characters of each OTP is a static public identifier of the key.

As services such as LastPass use the static identifier in order to encrypt your password vault for offline use, is it a good choice for LastPass to use the public identifier since Yubico treat this as public knowledge?

0 0
Add a comment Improve this question Transcribed image text
Answer #1

No, this is insecure as the public identity is not considered a secret. This is backed up by the fact Yubico send the identifier over HTTP. If this is known to be used for a LastPass account, a MITM could capture the extra offline encryption key as used by LastPass.

Although there is a chance that it has been leaked over the internet, as the master password is also required to unlock the local password vault, the risk is low.

The YubiKey Personalization Tool can be used to configure a new public identity in the case that it has been leaked.

Add a comment
Know the answer?
Add Answer to:
I've just picked up a YubiKey. However, the demo Yubico redirect you to is served over...
Your Answer:

Post as a guest

Your Name:

What's your source?

Earn Coins

Coins can be redeemed for fabulous gifts.

Not the answer you're looking for? Ask your own homework help question. Our experts will answer your question WITHIN MINUTES for Free.
Similar Homework Help Questions
  • CASE 8 Unlocking the Secrets of the Apple iPhone in the Name of access the male...

    CASE 8 Unlocking the Secrets of the Apple iPhone in the Name of access the male San Bernardino suspect's iPhone 5c. Cook stated: Antiterrorism We are challenging the FBI's demands with the deepes respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications While we believe the FBI's intentions are good, if would be wrong for the w e nt to force...

ADVERTISEMENT
Free Homework Help App
Download From Google Play
Scan Your Homework
to Get Instant Free Answers
Need Online Homework Help?
Ask a Question
Get Answers For Free
Most questions answered within 3 hours.
ADVERTISEMENT
ADVERTISEMENT