Hacker News new | past | comments | ask | show | jobs | submit login

I stopped reading at the first paragraph: "At that point, anyone can take the key and use it for 2-factor authentication/SSH/GPG signing, so it’s not much better than just using a normal password.".

If the author hasn't figured out you can assign a PIN to the keys you store on the Yubi, then I don't see why I should waste my time reading their rambling blog post.

Good luck taking my Yubikey and trying to SSH to my kit. Won't do you much good without the PIN that is in my head. ;)

P.S. You can also configure the Yubi to lock and mandate a PUK after too many wrong PINs.




> If the author hasn't figured out you can assign a PIN to the keys you store on the Yubi, then I don't see why I should waste my time reading their rambling blog post.

Try being a little nicer. If you feel that the blog post is a waste of your time, here's a revolutionary idea – don't say anything? There are 29 other posts on the front page, maybe one of those other ones will be worth your time.

As it is, the UX of the poster's solution is totally different from yours; it enables a one-time, contactless authentication during login. Yours requires a ton of manual input every time the Yubikey is used for SSH. There is some different in the security models here, but the author's solution is broadly different from yours, and to me, much more convenient (I use a Yubikey with a PIN for work and it's kind of a pain).


I’m someone that often reads the comments before reading the article, so it’s helpful to know what people think is blog spam and what is actually worth reading.


Understood.

I'm making the claim that the OP's comment is both derogatory ("rambling", "waste of my time") and not relevant to the solution described in the article. Therefore, if anything, the comment is more deserving of being labeled spam than the article itself.


Seconded. I think one of Hackernews’ biggest value-adds versus say Oreilly is the eagerness with which the commenters on this site will rip apart bad ideas/articles.


I agree, but also you can be critical without being an asshat.

It's better to comment from a perspective of "I bet you didn't know this" than "Ha, you're an idiot"


The point is the author of the blog is spreading FUD by saying "you can't leave your Yubikey unattended because anybody can take it and use it to SSH without your consent".

That is a falsehood and deserves to be called out.

I don't mind "revolutionary ideas", but don't use your platform to spread FUD.


It's great to correct falsehoods, but please do so without "calling out". The online callout/shaming culture has toxic effects and we're on a different trip here, or trying to be.

https://hn.algolia.com/?query=online%20shaming%20by%3Adang&s...

https://news.ycombinator.com/newsguidelines.html

p.s. https://news.ycombinator.com/item?id=24190704 was much nicer - that's the spirit ;)


Author of the post here - you have a good point with regard to SSH/GPG. (I do have a PIN on my keys.) I was targeting more the U2F standpoint - as in if you're using it for 2FA, it's obviously no better than a password if someone else can just press the little yellow button :)

Thanks for reading, though, and for commenting!


it's obviously no better than a password if someone else can just press the little yellow button :)

If you're using it as a second factor via U2F, the point isn't to be better than a password or to replace a password. The point is to be different. Specifically, the point is to be proof of physical possession. If they steal it, then you still have a memorized password as an authentication barrier.

The problem you raise in your blog post is a good one. People do tend to forget their security keys in their computers. However, making the security key the only required factor seems counterproductive. As an alternative, how about a background daemon that enumerates attached U2F/FIDO devices and reminds you to remove anything that's left in for more than a couple minutes?


No hard feelings @Pneumaticat. ;)

Most places where I use the FIDO feature of Yubi (e.g. Github), you still need to provide username and password. So an abandoned Yubi is still of limited use assuming your password is stored securely.


Yeah - here, I'll add a slight edit to the post to explain it in more detail and clear up any confusion.




Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: