IT: Hello! This is Roger from IT. We've identified a problem with your Okta access and we need to replace your company Yubikey. We've already mailed you a replacement, return your old Yubikey in the box that will have a return shipping label. Please write down your company email and Yubikey PIN on a sticky note and include it in the box so we can fully remove the old Yubikey from Okta. The delivery is scheduled for today so your work wont be impacted come Monday.
oct-git focuses exclusively on ergonomic use with OpenPGP card-based signing keys
It is designed to be easy to set up, standalone (no long running processes), and entirely hands-off to use (no repeated PIN entry required, by default). It comes with desktop notifications for touch confirmation (if required)
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
Structural security trumps computational security ... or ...
Diffuse structural security trumps amalgamated computational security ...
All your big, strong passkeys in one basket is less secure than your passwords in many individual baskets ...
Trying to explain this to tech bros can resemble pushing a wagon uphill ...
Because they want to sell something, logic is not paramount.
"A password in my brain is generally safer than an app or SMS stream that can be compromised. Although a passphrase may in some cases not be computationally more secure than a token mechanism or two-factor sytem, the simple passphrase is often structurally more secure because that passphrase only links to and exposes one service target."
"I like to compare it to having one basket of eggs in one spot, and many baskets of eggs in many places. If your one basket of eggs has the master key to all the other stronger keys, is it easier to get the one basket, or the many baskets with weaker keys? So in this scenario cipher strength is not the most important factor for security. With a single basket one fox or pick-pocket or one search warrant can own all of your eggs for all your services."
I have upgraded two systems to #Ubuntu 24.04 now and also tried #Thunderbird as snap (which is the default for Ubuntu 24.04) on another machine.
The system upgrades were incredibly smooth. Thunderbird in general also works fine, but it doesn't support #GPG with private keys on a #YubiKey yet (which is my usecase). (Yes,there is a workaround, although clunky.)
So it looks like I'll stay on 23.10 a bit longer on my main machine.
@oliklee Me too but I don’t understand why there are so many different competing package formats once again. And then there is the whole nix universe as well. Hard to decide what to use and tbh, double click an exe or moving a dmg file is sometimes easier than using a package manager. 🫣
My first troublesome hallucination with a #LLM in a while: #Claude3#Opus (200k context) insisting that I can configure my existing #Yubikey#GPG keys to work with PKINIT with #Kerberos and helping me for a couple of hours to try to do so — before realising that GPG keys aren't supported for this use case. Whoops.
No real bother other than some wasted time, but a bit painful and disappointing.
I’m prepping for my credential rollover and setting up the new @yubico 5C NFC keys they sent me as I’m a yubico ambassador and decided to get the @defcon stickers from Keyport to style the new keys I will be swapping to as I’m deprecating USB A. Also got new Keyport covers for backups and to swap out my current ones for a different style.
I’m going to do my credential rollover once @protonprivacy gets their desktop version of Proton Pass for Linux. Then instead of importing from KeePassXC I’m just generating all new credentials, setting up the new Yubikeys, and probably just roll new TOTP seed keys for the ones left.
This way I can kill off the passwords in my phone and current password manager in one fell swoop. I’m hoping to take local backups of Proton Pass as well in case of emergency
@ctietze IMHO they don't. Although the certificate stored in the device looks safe enough, they have awesome support for Linux and Intel-based Macs (guess the issues with M2 are worked on) and it's a pretty good idea to store your password store access key outside the machine it's running on, I'm always afraid some day the thing just stops working and I locked myself out of everything.
"A security issue has been identified in YubiKey Manager GUI which could lead to unexpected privilege escalation on Windows. If a user runs the YubiKey Manager GUI as Administrator, browser windows opened by YubiKey Manager GUI may be opened as Administrator which could be exploited by a local attacker to perform actions as Administrator."
I find it really stupid Coinbase only allowed me to input 5 FIDO/U2F keys. That doesn't even cover half the total FIDO/U2F hardware keys in my arsenal. Not including the capability that Ledger and Trezor have to be a FIDO/U2F key themselves.
Big thank you to @yubico they are sending me two new Yubikey 5C NFC keys as I am no longer needing the Yubikey 5Ci as I no longer use lightning connections since I got an iPhone 15.
Yubico has been my longest running partner since I have been creating content. Thank you for the support over all these years and the many keys you have provided me.
In theory you can gpg-connect-agent 'scd random 16' /bye to get 16 bytes of good randomness from your #YubiKey.
In practice you'll have to cut off the D[space] at the beginning, the [newline]OK[newline] at the end, and then find a way to remove URL-style percent encoding from the result (because some control characters and percent symbols will be encoded) … which is surprisingly hard to do on the command line without installing additional stuff or calling out to Python/Perl/Ruby/etc.
If you own a modern #YubiKey, you might know that you can use the YubiKey Manager to enable/disable the applications & interfaces it provides.
What you probably didn't know: You can password-protect this setting using the command-line version of the Manager, with the ykman config set-lock-code command.
If you lose that lock code, you can't change the setting anymore, ever.
If it's not yet set, others with physical access to your key could disable everything, set a code and lock you out. 😬
I am mad that using it for macos unlock essentially ruins your piv slots' other usages because the mac thing sets your pins in shitty ways. Adminpin==Userpin. Userpin then replaces login password. No flags for touch requirement or no pin, pin once requirement.
TIL: The #YubiKey 5 supports setting a PIN for additional #U2F security – but only the FIPS models, not the normal ones, and only in FIPS Level 1; in Level 2 U2F is forbidden entirely and only FIDO2 can be used.