Image of the glider from the Game of Life by John Conway
Skip to content

Two Weeks With The Yubikey

It's now been a full two weeks since I purchased my Yubikey and have been using it. The goal was to have a security token that I could use as a form of two-factor authentication for most if not all of my accounts. After two weeks of use, I figured I would write about it, and let you know my impressions.

First off, as mentioned in my previous post about the Yubikey, it sends physical keypresses to the host computer, rather than static characters. As a result, for those of us that type in the Simplified Dvorak layout, this turns out to be problematic for Yubikey authentication servers, as the server software expects certain characters from the modhex. This can be modified in the server software to account for the Dvorak layout, but it's not default.

Second is the ability to keep the key with you at all times. This actually has turned out to be a bit of a chore, as is to be expected. In the early morning, while still waking up, I might get on the computer, and check my mail, or login to a site or two. If the cookie is saved, and I'm already logged in, then no big deal. If not, and I need to login, then this means chasing down my key. Same can be said when at work, or at a friends/parents house etc. It actually has become a bit of a pain to make sure that they key is always on my person, and that there is a convenient USB port to plug the key into.

Third, and this is the most frustrating of all, is that many authentication forms on sites have limitations on their password lengths or valid characters. My bank, for example, has a limit of 12 characters max. This is too short for the Yubikey, even for static passwords. Yet, Google does not have an upper limit. So, while my BANK PASSWORD IS 12 CHARACTERS, my Google password is 82. FUrther, Google supports two factor authentication with my phone, while my bank does not. Is it just me, or is it a tad silly that my Google account is more secure than my bank? It should be the other way around, IMO. And this isn't just unique with my bank. My mobile service provider, the university, and many other sites.

As a result, because every site is different on what they will allow for passwords, not only do I need to remember the location of the password on my passord card, but I also need to remember whether or not I can use my Yubikey static password, and which one to use (I've programmed both slots differently). It's all over the place, and it is REALLY frustrating. I've begun sending emails to webmasters to let them know why the limitations they are imposing on their login forms is not doing anything for security.

Obviously, the easy way out is to have the same password for all my accounts, and not use any physical authentication tokens. Just keep it in my head, never change it, and everything will be grand. That's the lazy way of handling passwords. The way I am managing my passwords is a lot of work. I won't lie. I frequently forget which password is for what account, so I've begun keeping them in an encrypted database with KeePass. I copy and paste out of that more often than not. It's a chore always pulling out my Yubikey when needed, and it's usually a chore finding an acceptable USB slot to stick it into that is within reach to easily touch it.

Would I recommend it? Absolutely. I would just put in a word of warning that you're in for a bit of work managing your passwords.

{ 8 } Comments

  1. anonymous using Google Chrome 23.0.1271.64 on GNU/Linux 64 bits | November 10, 2012 at 10:29 pm | Permalink

    Thanks for those insights. I'm also on Dvorak (German Type II).

    "The way I am managing my passwords is a lot of work."
    I've been using pwdhash for a few years now:
    * No need to store a file anywhere
    * You only need to remember one password if you are lazy
    * Different passwords on every website

    https://www.pwdhash.com/

  2. rubiojr using Google Chrome 18.0.1025.166 on Android | November 11, 2012 at 3:22 am | Permalink

    Hey Aaron, thanks for sharing.

    I did the experiment too (because I read the first part of the article and I had a yubikey). Reached the same conclusion.

    I'm always wearing my android phone with keepassdroid, much more comfortable, always available and you can copy/paste easily and sync with the laptop database.

  3. lol using Internet Explorer 5.0 on Windows Unknown | November 11, 2012 at 8:32 am | Permalink

    Just checking whether pthree.org recognises Windows 95 and IE 5.

  4. kalos using Debian IceWeasel 17.0.1 on GNU/Linux 64 bits | December 4, 2012 at 1:55 am | Permalink

    Just use yubikey with a service like LastPass.com.
    I use both from 1 year.

  5. argo using Opera 9.80 on Windows XP | May 15, 2013 at 2:50 am | Permalink

    Hi aaron,

    the keepassdroid solution is attractive, but it depends on how you use it. Keys used to decrypt could be stolen if kept on the phone or even in the cache of the downloads and keyloggers are active on android too (actually don't know about screenloggers), so the good solution would be implementation of OTP from yubikey (or key pushing) on keepassdroid too...but again you need to keep always the phone and the yubikey always with you.
    At the moment I use keepass on my old nokia (java without fast data connection except for the classic GSM), and doubt about moving to a smartphone depends on this too.

  6. argo using Opera 9.80 on Windows XP | May 15, 2013 at 3:11 am | Permalink

    I forgot to mention passpack

    https://www.passpack.com/online/#0

    stores up to 100 passwords in the free account and supports two-factor authentication both with the yubikey or with your email. Actually I'm evaluating it even if I own much more passwords ( : solved with 2 accounts? 1 for light accounts and the other for accounts dealing with money as for your bank or paypal account? don't know).

  7. Dave using Firefox 24.0 on Windows 8 | October 18, 2013 at 3:48 pm | Permalink

    Ive used my Yubi Key for a few weeks now and Ill be honest I don't think it works well. I haven't been able to get it to work with Gmail even with they Yubi key application and the sites that have yubi integration dont seem to work OR they allow you to enter the site with your user name and password regardless of whether or not you have any level of Yubi auth enabled. It seems useless to me unless you use it with LastPass which seems to be the only reliable and working application and site that works with Yubi seamlessly.

  8. Aaron Toponce using Google Chrome 29.0.1547.57 on GNU/Linux 64 bits | October 21, 2013 at 12:01 pm | Permalink

    You can install the Yubikey server on your own instance, for all your personal stuff. And it supports Challenge/Response for anything local (workstation login, SSH keys, etc). Further, you can configure the ports to work in static password mode, which will send static strings. This is great for two-factor authentication in all password form fields.

Post a Comment

Your email is never published nor shared.

Switch to our mobile site