this post was submitted on 21 Mar 2024
111 points (98.3% liked)
Privacy
31893 readers
428 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I'm unfamiliar with how Yubikey works but I thought the FIDO2 protocol was designed to prevent that sort of association. Anyway it doesn't sound good. Cryptographer's saying (by Silvio Micali): "A good disguise should not reveal the person's height".
Oh yeah it clearly seems a bad idea to me, which is why I'm assuming error on my part. 100% though I took an unrelated phone, installed the yubico app, slapped my nfc yubikey up to it, and could see my accounts listed.
Oh I misunderstood what you were describing but yeah, it doesn't sound good. It sounds like the key is supposed to be an SSO credential for multiple phones? Maybe there's a way to set it up differently. You might ask their support.
I probably described it poorly.
It's nothing that exotic. I use it as MFA for a few different accounts as I assume anyone who has one does. :)
Using one easy example, I have myname@anemailprovideryouveheardof.com set up and I can clearly see "myname@anemailprovideryouveheardof.com" as a linked account on my yubikey on any device. I can't do anything with it, but I see my username in the format shown above, and the one time code counting down.
I don't actually know why I haven't gone to their support - hadn't thought about it for awhile until reading this thread, so that's a good suggestion and will do.
Yeah it would be preferable IMHO if you had to enroll a newly installed app with username and password in addition to the key.
I think y'all are talking about different things. Some sites (like google) have direct yubikey support where you plug the key into the device and what you're talking about isn't an issue
Other sites don't have direct support, but allow you to use any authenticator app which is what you're talking about with using the yubico authenticator app/key combination. Plugging it into a yubico authenticator app on any device will show the codes
Unfortunately I don't have an answer for a way to protect those other accounts. I guess the hope is that if you lose it, it can't be tied to your accounts, just the websites themselves