If you own a modern #YubiKey, you might know that you can use the YubiKey... - Random

scy, 1 month ago

If you own a modern #YubiKey, you might know that you can use the YubiKey Manager to enable/disable the applications & interfaces it provides.

What you probably didn't know: You can password-protect this setting using the command-line version of the Manager, with the ykman config set-lock-code command.

If you lose that lock code, you can't change the setting anymore, ever.

If it's not yet set, others with physical access to your key could disable everything, set a code and lock you out. 😬

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

Image

Image alternative text

scy, 1 month ago

On the other hand, people with physical access to your YubiKey can lock you out anyway by just snapping it in half 🤷‍♂️

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

scy, 1 month ago

Okay, slightly more problematic scenario: Malware bricking your #YubiKey this way, forcing you to reset your #2FA setup to something less secure.

But if you already have malware on your machine, it probably has other ways to prevent you from using your YubiKey, too.

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

lasagne, 1 month ago

@scy
You can set that setting from NFC fyi

I am mad that using it for macos unlock essentially ruins your piv slots' other usages because the mac thing sets your pins in shitty ways. Adminpin==Userpin. Userpin then replaces login password. No flags for touch requirement or no pin, pin once requirement.

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

glowl, 1 month ago

@scy but then they can not blackmail you on it.

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

Add comment