1) This is an upgrade to the touch sensitive button that's on all YubiKeys today. The reason you have to touch the key is so that if an attacker gains access to your computer with an attached Yubikey, they will not be able to use it (it requires physical presence). Now that touch sensitive button becomes a fingerprint reader, so it can't be activated by just anyone.
2) The computer/OS doesn't have to support anything for this added feature.
> 1) This is an upgrade to the touch sensitive button that's on all YubiKeys today. The reason you have to touch the key is so that if an attacker gains access to your computer with an attached Yubikey, they will not be able to use it (it requires physical presence). Now that touch sensitive button becomes a fingerprint reader, so it can't be activated by just anyone.
I'd like it to work that way but when I'm reading the article it doesn't explicitly say that (only mentioning integration with Azure that's not interesting for me).
Is there any authoritative info that the fingerprint reader will work as touch button but with verification of fingerprints in all scenarios? (like touch-to-use on OpenPGP applet, U2F applet etc.)
> The reason you have to touch the key is so that if an attacker gains access to your computer with an attached Yubikey, they will not be able to use it (it requires physical presence).
Additionally, it prevents brute force attacks on the hardware.
Only If you keep your key and computer hardware separate and kept separate.
Some hardware keys are being built into devices, or are left in them semi-perminately (to be fair, physical attacks arent a real concern for most people)
No - what I meant is exactly that a hardware key permanently left in a computer is still safe from brute force attacks by software running on that computer (which could be Javascript on a website the user visited) because it requires physical interaction for each single operation it performs.
Yeah I would like this for a yubikey I leave plugged into a machine, like my desktop at work. That way I don't have to fish the one I carry on my keyring out of my pocket and remember to bring it home.
For cases like this, when people leave their key permanently attached to a device, it would be nice if the device itself had this functionality built in. I mean, the iPhone already has a secure enclave to store this kind of sensitive data.
There is a web service using exactly such a mechanism for U2F in browsers: https://krypt.co/
This works through an addon in the browser rather than native functionality but the system is secure enough that I use it as a backup for some of my 2FA services in case I lose my TOTP keys.
A fingerprint is only going to stop a very opportunistic attacker. Someone who already has your desktop and app password and physical access to your desktop can probably get a fingerprint off a glass, cup or something else.
I don't think this product is as useful as it seems at first glance. Using stronger passwords is probably just as safe.
But I am no tptacek so I may be completely wrong :)
> A fingerprint is only going to stop a very opportunistic attacker. Someone who already has your desktop and app password and physical access to your desktop can probably get a fingerprint off a glass, cup or something else.
I do hope you realize this raises the amount of work the attacker has to do to actually get access to your device. It's a little like saying a second lock on your door is not going to stop anyone, but in practice statistics are clear: adding one more layer, even if that layer can be defeated as well, reduces the chance of a successful attack, or deters the attacker in the first place.
For most people, their threat model is someone in their home, office or circle of acquaintances snooping on their computer - either casually or with criminal intent but little savvy. These are not sophisticated actors, they are not lifting fingerprints off glasses.
Anyway, Yubikey is only a second factor - not your entire security strategy - and I think it is made a bit stronger with a biometric, thats all.
A fingerprint is only going to stop a very opportunistic attacker. Someone who already has your desktop and app password and physical access to your desktop can probably get a fingerprint off a glass, cup or something else.
The people most of us work with have physical access to our computers and they could probably shoulder surf a short password (use a password manager!). I don't imagine any of them could successfully lift a fingerprint sufficiently well to fool a biometric reader. It's looks easy in perfect conditions on YouTube but in the real world it's a bit harder.
I hope not anyway because my office has fingerprint access.
2) The computer/OS doesn't have to support anything for this added feature.