I think that largely misses the point of having such a key. I have one, and I'm well aware that if my laptop is stolen, so is that key. But the point of it is not to protect the laptop from the outside; that's why my drive is encrypted.

The point of that particular Yubikey is to secure passwords and authenticate to some websites, all of which requires either a PIN or more passwords, even after breaking the encryption of the drive itself.

Then there's the fact that, if you steal my laptop, you're probably looking to sell it for cash. That is to say, threat models matter. If your a journalist in a hostile country, maybe other steps should be taken. But most of us here on a site called Hacker News aren't under such threats, romantic as they may be.

Pot, kettle situation?

You are jumping around various attack scenarios to make your point. If your child steals your hardware token to shop on amazon and then put it back afterwards is a different and much more likely scenario then some targeted attack by some hacker that is prepared and breaks into your home...

Most online threads are about social engineering, where the person that is attacked actually cooperates with the attacker, AFAIK there is no safeguard against that, other than not trusting people with their own stuff.

I would worry more about someone stealing a locked laptop. If there is no password (or other kind of knowleged based protection), then they have everything they need to unlock it.

> Web passwords should go die in the same fire as SMS 2FA.

So since you limited your argument now to just Web passwords. Does that mean you agree with me that you don't think there is a good solution to replace passwords for encryption or local authentication that works offline and doesn't move the trust away from the user?

This is clearly misunderstanding the point of a hardware security key. If I can reduce the number of people that can hack you to the people who can access a single, uncloneable, physical object, is that not greatly increasing your security? It is the "Something you have" part of security.

If the Yubikey is serving as a FIDO Security Key (rather than in one of its other modes) then this is much trickier than it might look.

Suppose you find my Security Key in the street, or left behind on public transit. It has no idea who it belongs to! All it is capable of doing is proving that it's still the same Security Key as before, which it is. I use that Security Key to sign into Google, Facebook, GitHub, and a dozen more, but the Security Key itself has no memory of any of that, it's a blank slate. The Security Key works perfectly well, maybe you can eBay it, but you can't realistically break into accounts with it.

The alternative is stealing keys to order. But this involves connecting up two very different skill sets, one of which requires physical proximity. That's a tall order for everybody but nation state adversaries. If you're an Indian organised crime syndicate, hacking some IT systems in Texas is likely practical for you via the Internet, but flying a member out to Dallas to try to steal a physical object from the right person is both unduly risky (local cops might be bought off, but the cops in Dallas don't know you from Adam) and surprisingly expensive.

You could also just use a thicker cord.

The project, no offense to the author, could be renamed: long USB cable with a magnetic usb attachment.

> As of yesterday, that’s [stolen laptop] a hard attack to defend against.

Which is just wrong; the author did not invent anything here - anyone I’ve known that’s ever been worried about this scenario has implemented it already with <yubikey/access card/arbitrary usb>.

* extra PSA: if you’re worried about this but somehow haven’t already required 2FA for all your accounts and admin access on your laptop, then you should re-evaluate your threat scenarios.

Half the time I choose for TOTP authentication over Yubikey because "Oh god it's in the living room I don't want to go get it."

I do have a backup key mind, but that's USB-C instead of A. Maybe I should make another USB A backup.

The physics of someone cracking my passphrase and the physics of someone cracking my Yubikey are both in the boil the oceans amount of energy.

I'm fine not letting a usb device masquerading as a keyboard have access to my password database.

Remember: "When you lose your YubiKey or someone else gets access to it, your database is not secure anymore."

Far too many people seem to think the solution to security problems to ignore security and only consider the features you want.

This is such a bad idea that I'm starting to question the motives behind it. If I wanted to break the security of an important class of software, it would look something like this "standard".

> USB security is a joke

Most hardware security - USB or otherwise - doesn't exist. Local peripherals were never designed with security in mind.

This is so wrong it's hilarious. I've been doing computers for forever, and "security keys" are STILL a universally lousy user experience.

What happens when you lose one? How do I install multiple keys? How does their manager revoke their keys when they leave the company? And where is the server that controls all this, and how do you administer that? I could go on ...

If you have any pointers to tutorials how to do this, I'M ALL EARS. Seriously.

Not really. Encrypted data on the drive, password protection to get in should be enough. If the password implementation is top notch it essentially is a brick to anyone not in the know — time will be of no use to them.

Most of the TPM fears are about its secure booting features, about locking in a machine to a certain OS or DRM code. This isn't using those features.

> If the attacker has access to that key, then they have access to your machine.

Not necessarily true. First of all they won't have access to you machine all the time. When you turn it off they won't have access to the key. Same when you improve your firewall rules (maybe).

I get a warm feeling from knowing that when someone logged in using a specific key, then a certain piece of hardware was involved in the handshake. Not "someone logged in", but "someone logged in using this exact laptop".

> It should be noted that ssh, gpg-agent, and OpenPGP smart cards already provide the capability to store an SSH key on a removable smart card.

Previously blogged about here: http://blog.habets.se/2013/02/GPG-and-SSH-with-Yubikey-NEO

> Of course, most modern machines come with a TPM (right? correct me if I'm wrong)

Not Macs.

> very few people have an OpenPGP smart card.

Yubikey NEO can be an option, since it uses USB.

Then don't use a fool picking up USB keys from the ground to argue for this act of a security theater!

> gives people the opportunity to notice a problem

But it doesn't do that because constant nagging dulls the senses. Also, how do you expect the users to learn that he needs to be on the alert for keyboard mimics? Is there an emphasis on this in the warning?

> long-term fix is securing the USB protocol but when the deployed device count is measured in billions even a stopgap is useful.

long-term has already arrived: USB protocol is ancient. Meanwhile the gap is still there post Ventura

The question is - who are you trying to protect against?

Like, personally I'm worried about someone stealing my laptop. In that case, it's extremely unlikely the thief would have a photo of me to use to unlock the laptop. Yes my wife or my friends would have access to pictures of me in high enough resolution to print and use to unlock it - but I'm really not worried about them breaking in.

That was not my point. Most times, users of a stolen device are unaware and not complicit in the fact it was stolen in the first place. They usually have acquired it from legitimate second-hand markets.

If you take away the keys to my home I will not feel more secure, nor be more secure - I will be more ignorant about security, that's it. The same applies here.

The private keys are in the HSM, a separate device (according to the article, connected by an Ethernet cable). The laptop doesn't have access to them.

The main risk I can imagine would be a compromised laptop signing a different KSR which has extra keys, and saving it in a hidden area of the USB key, while pretending to sign the original KSR (and presenting the hashes of the original KSR to the operators).

Good idea, but...

(hypothetical helpdesk ticket) Oh crap! I knocked my coffee on my keyboard and ruined it as I was sitting down at my locked computer. I connected another keyboard, but the lock screen is not accepting my password!

Allow HID class devices to be connected when locked, and that should be OK.

I think the implication is that they (the attacker) don't have the machine, or you, or whatever "thing" you have/use to unlock it.

If someone stole your disk, or took a copy of it, they can't offline attack it.

An external hardware device seems preferable for this scenario; if someone steals/snatches your laptop, they won't have your Yubikey or whatever.

In any scenario where the wrenching is an option, I suspect all bets are off, but if wrenching is a real risk, and whatever you're protecting is worth taking a wrenching for (as opposed to just giving it up at the threat of a wrenching), there should probably be some tougher protections which make it clear that the wrenching will gain an attacker nothing, and hopefully save you from it to begin with.

I'm not sure what or how that would work.