Changes
Page history
it's YubiKey, not yubikey
authored
Apr 19, 2023
by
anarcat
Show whitespace changes
Inline
Side-by-side
howto/yubikey.md
View page @
445f2b0f
...
...
@@ -207,7 +207,7 @@ N/A
The YubiKeys keep private cryptographic information embedded in the
key, for example RSA keys for the SSH authentication mechanism. Those
keys are supposed to be impossible to extract from the Yubi
k
ey, which
keys are supposed to be impossible to extract from the Yubi
K
ey, which
means they are also impossible to backup.
## Queues
...
...
@@ -317,8 +317,8 @@ the secret key material is available on the backup YubiKey.
## Other documentation
*
[
Anarcat's old (2015) Yubi
k
ey howto
](
https://anarc.at/blog/2015-12-14-yubikey-howto/
)
*
[
A Yubi
k
ey cheatsheet
](
https://debugging.works/blog/yubikey-cheatsheet/
)
*
[
Anarcat's old (2015) Yubi
K
ey howto
](
https://anarc.at/blog/2015-12-14-yubikey-howto/
)
*
[
A Yubi
K
ey cheatsheet
](
https://debugging.works/blog/yubikey-cheatsheet/
)
*
[
TPA-RFC-53
][]
and
[
discussion ticket
](
https://gitlab.torproject.org/tpo/tpa/team/-/issues/41083
)
[
TPA-RFC-53
]:
policy/tpa-rfc-53-security-keys
...
...
@@ -347,16 +347,16 @@ were compromised by hacking into key people's accounts and destroying
critical data or introducing vulnerabilities in their software. Those
organisations had 2FA enabled, but attackers were able to bypass that
security by hijacking their phones, which is why having a
cryptographic token like a Yubi
k
ey is important.
cryptographic token like a Yubi
K
ey is important.
We also don't necessarily provide people with the means to more
securely store their (e.g. SSH) private keys, used commonly by
developers to push and sign code. So we are considering buying a bunch
of Yubi
k
eys, bringing them to the next Tor meeting, and training
of Yubi
K
eys, bringing them to the next Tor meeting, and training
people to use them.
There's all sorts of pitfalls and challenges in deploying 2FA and
YubiKeys (e.g. "i lost my
y
ubi
k
ey" or "omg GnuPG is hell"). We're not
YubiKeys (e.g. "i lost my
Y
ubi
K
ey" or "omg GnuPG is hell"). We're not
going to immediately solve all of those issues. We're going to get
hardware into people's hands and hopefully train them with U2F/FIDO2
web 2FA, and maybe be able to explore the SSH/OpenPGP side of things
...
...
@@ -384,7 +384,7 @@ successfully attack the Tor project.
### Future work
Ideally, there would be a rugged
*and*
open-hardware device that could
simultaneously offer the tamper-resistance of the Yubi
k
ey while at the
simultaneously offer the tamper-resistance of the Yubi
K
ey while at the
same time providing an auditable hardware platform.
## Technical debt and next steps
...
...
...
...
