2

I think to get a Yubikey and read that Keepass with OTP makes no sense No. Security remains the same + extra cognitive overhead.

I try to store all data local and use seldom cloud based services.

If I have a very bad SecOp and keep the dongle always plugged in the MacBook (or on the same table), does that dongle add a security benefit?

My thread model are remote attacks. If there is a security benefit, what Yubikey configuration I need to implement, to profit from improved security?

Sybil
  • 1,445
  • 2
  • 15
  • 31

4 Answers4

3

Yes, it adds a security benefit for remote attacks. Just assume you type your password into a chat window instead of in the password box on a website. Using 2FA, nobody in the chat can login into your account, even when your YubiKey is connected to your Macbook.

You may be a bit more at risk when the Yubikey types your TOPT into the same chat, but with a little bit of luck it will expire before someone realizes what it is and where to login with it. And leaking one TOTP does not leak the master key needed to generate the next one.

allo
  • 3,315
  • 11
  • 24
2

What does the Yubikey add

The Yubikey acts as a secured environment, where the OTP secret can be stored. As the Yubikey is always connected, if you force touch for codes (default for Yubikey codes, and an option for TOTP codes) then an attacker can only login to services at the same time that you do, which will mean one login will fail, as OTP codes should be one use only.

jrtapsell
  • 3,179
  • 15
  • 30
2

Some answers got a tiny detail wrong:

  • The Yubikey does not per se follow the TOTP algorithm as defined in RFC6238. The yubikey comes mith an AES based OTP algorithm. You can initialize the yubikey to follow the HOTP (RFC4226) algorithm (event based). This is because TOTP needs the time - a clock which the yubikey does not have. However, you can do challenge response with the yubikey and this facitlitating an additional client software do TOTP.

But the Yubikey 4 is also a full blown smartcard. Thus you can create an assymmetric key pair on the yubikey. You can use this smartcard functionality to protect (encrypt!) data in the right way. The software would encrypt the symmetric data encryption key with the public key, that was generated on the yubikey. You (or an attacker) could only decrypt the data encryption key and thus the data using the private key, that was created on the yubikey and that can not be exported from the yubikey. This is the most sensible way to implement a still state of the art 2FA encryption protection.

I do not know, if keepass supports smartcards/PGP/PKCS11.

cornelinux
  • 2,023
  • 8
  • 11
0

No, the attacker has to have physical access to the device in order to use the Yubikey's functions. It is therefore advised to use the Yubikey as 2FA to even eliminate threats in close proximity.

  • can you provide technical details? As far asI understand it does not help for drive-by download maleware? – Sybil May 28 '18 at 10:12