Stories
Slash Boxes
Comments

SoylentNews is people

This New YubiKey Will Offer Dual Security for Apple Users

posted by Fnord666 on Thursday August 22 2019, @12:35PM   Printer-friendly
from the pick-a-standard-please dept.

upstart writes:

Submitted via IRC for SoyCow3196

This new YubiKey will offer dual security for Apple users – TechCrunch

Almost two months after it was first announced, Yubico has launched the YubiKey 5Ci, a security key with dual support for iPhones, Macs and other USB-C compatible devices.

Yubico’s newest YubiKey is the latest iteration of its security key built to support a newer range of devices, including Apple’s iPhone, iPad and MacBooks, in a single device. Announced in June, the company said the security keys would cater to cross-platform users — particularly Apple device owners.

These security keys are small enough to sit on a keyring. When you want to log in to an online account, you plug in the key to your device and it authenticates you. Your Gmail, Twitter and Facebook account all support these plug-in devices as a second-factor of authentication after your username and password — a far stronger mechanism than the simple code sent to your phone.

Original Submission

 
This discussion has been archived. No new comments can be posted.
This New YubiKey Will Offer Dual Security for Apple Users | Log In/Create an Account | Top | 6 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Interesting) by Anonymous Coward on Thursday August 22 2019, @12:59PM (3 children)

    by Anonymous Coward on Thursday August 22 2019, @12:59PM (#883584)

    Yubico has replaced all open-source components in YubiKey 4 with closed-source code, which can no longer be independently reviewed for security flaws.

    This doesn't guarantee the NSA coerced them, and the NSA certainly has the skill to hide nasty shit in open source software, but it's enough that I closed the tabs I had open because I wanted to buy one. If you think this is paranoid, remember:

    In March 2014, it was reported by Reuters that RSA had also adapted the extended random standard championed by NSA. Later cryptanalysis showed that extended random did not add any security, and was rejected by the prominent standards group Internet Engineering Task Force. Extended random did however make NSA's backdoor for Dual_EC_DRBG tens of thousands of times faster to use for attackers with the key to the Dual_EC_DRBG backdoor (presumably only NSA), because the extended nonces in extended random made part of the internal state of Dual_EC_DRBG easier to guess. Only RSA Security's Java version was hard to crack without extended random, since the caching of Dual_EC_DRBG output in e.g. RSA Security's C programming language version already made the internal state fast enough to determine. And indeed, RSA Security only implemented extended random in its Java implementation of Dual_EC_DRBG

    Starting Score:    0  points
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Total Score:   1  

  • (Score: 1, Informative) by Anonymous Coward on Thursday August 22 2019, @01:18PM

    by Anonymous Coward on Thursday August 22 2019, @01:18PM (#883595)

    Forgot to rewrite it when I realized it was silly. Here's the company's response, https://www.yubico.com/2016/05/secure-hardware-vs-open-source/, [yubico.com] the short version is:

    So — why not combine the best of two worlds then, i.e. using secure hardware in an open source design? There are a few problems with that:

    • In order to achieve these higher levels of certifications, certain requirements are put on the final products
    • secure silicon [products aren't] available on the open market for developers
    • [above mentioned secure products require paperwork to get]
    • there is no debug port and [it takes too much paperwork to get an emulator]
    • this does not prevent the source code from being published, without the datasheets, security guidelines, and a platform for performing tests, the outcome is questionable, with little practical value

    To summarize, their official reasons are 1) we want to check boxes, 2) you can't get the hardware to run the software on, 3) you can't get the hardware to run the software on, 4) you can't get an emulator to run the hardware on, or fuck with your own hardware, 5) you don't want the software.
    Clearly, they're full of shit.

  • (Score: 4, Insightful) by Farkus888 on Thursday August 22 2019, @01:42PM (1 child)

    by Farkus888 (5159) on Thursday August 22 2019, @01:42PM (#883603)

    I agree that this is at least questionable and bad if true. However for most of us it is just a matter of letting perfect be the enemy of good. If you have a better solution I'm interested. The effectiveness of these for preventing Phishing and credential stuffing is huge. The people doing those attacks are not sophisticated enough to use an nsa backdoor. Those attacks are the biggest threat to the average internet user.

    • (Score: 0) by Anonymous Coward on Thursday August 22 2019, @02:28PM

      by Anonymous Coward on Thursday August 22 2019, @02:28PM (#883628)

      I overreacted, these are better than the current state of affairs.