Re: South Africa On Lockdown - Coronavirus - Update!

[Michael Loftis <mloftis () wgops com>]

On Mon, Mar 23, 2020 at 19:25 Owen DeLong <owen () delong com> wrote:

> I confess I haven’t investigated the implementation details, but is it
> possible for one to issue ubikeys
> to an employee in a secure way with those features disabled?

Yes. And changing that setup either requires a separate admin pin or wiping
the associated private key data to reconfigure. It depends on which
application/mode. FIDO I believe is most inflexible here as it can only be
short touch to activate.

I don’t use the HID keyboard mode OTP keying app/feature so I’m not
terribly familiar with that. It might be that it can be configured limited
such that N in X seconds or a replug is required (to circumvent the timer)
but I really do not know. If people are really curious I can grab a spare
key and check.  I use the CCID/smart card type modes. I do know that the
touch OTP key feature requires wiping the associated private key data, or
having it available to reprogram and change options. They’re a shared
secret mode so the yubikey authentication server has those private keys.

> It’s the allowing the employee to make a poor choice not necessarily
> desired by the employer thing
> that seems to me is the issue in this case.
>
>
>
> I agree that this abuse of the UBI Key is more an issue of implementation
> than the inherent nature of the
> UBIKEY, but the UBIKEY does allow this kind of abuse in ways that other
> tokens don’t facilitate.
>
>
> That's like saying that cars are worse than bicycles, because cars
> allow you drive into things are a more dangerous speed. I mean, yes,
> but ….
>
>
> Cars are more dangerous than bicycles, but everything is a matter of
> balancing tradeoffs.
>
> In this case, I’m not sure the ubikey offers anything over the Secur-ID to
> balance that increased
> hazard.
>
> Owen
>
>
> --

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler