I\'ve just picked up a YubiKey. However, the demo Yubico redirect you to is serv

Question

I've just picked up a YubiKey.

However, the demo Yubico redirect you to is served over plain HTTP, over which each OTP you generate during the demo is POSTed, enabling you to verify that your key is working properly. The first group of characters of each OTP is a static public identifier of the key.

As services such as LastPass use the static identifier in order to encrypt your password vault for offline use, is it a good choice for LastPass to use the public identifier since Yubico treat this as public knowledge?

Explanation / Answer

No, this is insecure as the public identity is not considered a secret. This is backed up by the fact Yubico send the identifier over HTTP. If this is known to be used for a LastPass account, a MITM could capture the extra offline encryption key as used by LastPass.

Although there is a chance that it has been leaked over the internet, as the master password is also required to unlock the local password vault, the risk is low.

The YubiKey Personalization Tool can be used to configure a new public identity in the case that it has been leaked.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.