Silk Road forums
Support => Feature requests => Topic started by: chronicpain on September 08, 2011, 12:57 am
-
Why not? Granted, it would cost a little bit of money, but the security and peace of mind is well worth the 25 bucks that a yubikey costs. I know that they can make yubikey work with multiple sites, etc. Mt. gox's key will only work with mt. gox.
But, this would solve the phishing issues. I, for one, am in love with the yubikey.. I think every site that is concerned with security needs to have one... Plus, I don't think it's that difficult to implement..
-
+1
-
I love the Yubikey! But it does have limitations. I think it's 65,000 times of logging in or out then it's dead. Something like that. I forget the real number. It may be much higher. Point is that on Mt.Gox, sure I will never EVER reach that limit. I'd lose it first. But here on the forums and SR. I might reach that limit.
-
Just use the yubikey for when you are transferring money.. 65000 xfers is a ton of transfers if your doing that many you can afford to buy another one, lol..
We dont need the yubikey to log in. Just to do important stuff, like money transfers.. Since that is the issue here..
Also, the 65k limit is how many times it inserted. So, if you leave it in your computer all day and use it multiple times, that counts as only 1 out of the 65k.. Still if you use it 10 times a day, that key will work for like 18 years.. So, as long as you keep it plugged into the computer it only counts as one key and that will extend its life..
-
Yes but device would need to sent to your(buyer/vendor) address - that may be a problem.
Is there any way to provide some file what you would upload in ordinary usb drive?
-
Thats true, but if SR uses the basic system that most people use, you can buy it from yubikey. it wont tie any key to anyone. Yubikey has over 1 million users. I think it would be next to impossible if not totally impossible to track a buyer from yubikey to someone here...
I mean if I go buy a yubikey right now it can be used at many different sites. (using 2 factors) As long as SR doesn't make it so we have to buy the key from them, it shouldn't matter.
Mt. Gox made their key so you have to buy it from them and it only works on their site. If you get a regular yubikey from yubico (which Im going to do now) it can be used with trucrypt. That would be nice to not have to remember the passphrase and just touch a yubikey...
-
I agree but to that solution can be way simple.
Each member get TAN or Transaction Code Table what must be used to make transactions.
System ask you that you enter A3 section code from that table and that is it.
-
Yubikey needs to be physically touched to generate a new password. This helps prevent phishing. I think you should go to their site Its clearnet www.yubico.com and check them out... I think the yubikey is ingenious...
Granted, im not all that technical, so I don't know all the drawbacks, but from what I have read there aren't that many at all..
-
I hear you CP, I check it.
Its great idea for security.
Still, to exclude shipping any device to anybody, that can be sorted like I have said.
So to all what does not understand how TAN is working;
Each member receive unique table what have 1-7 column and A-G raws. In each cell has 5 digit code e.g. (H673JC). That table would be sent encrypted with your PGP.
For each transaction, withdraw or sent to another user, SR system will ask to input cell code, example H6 to validate transaction. Without correct code no transaction can be made, even somebody were able to login on SR account.
If we can buy (we can) yubikey where SR can provide software what we can upload, that will also be great, but may be problematic with file distribution what we must upload in yubikey.
Additional layer of security what could be implemented very easy is PIN what LR has.
For changing settings /password and for transaction, every user has to input 4 digit PIN.
That pin would be sent from SR admin by pm encrypted with your PGP key.
-
I think your last statement mseller is totally viable. Look at mt. gox. they bypassed yubico altogether. In fact, for 500 bucks, you can buy one of their own USB things that can authenticate keys.
A lot of the technical stuff is way over my head, but after reading their site, I think it would be quite feasible and easy to implement the yubikey here at SR. SR wouldn't even have to make it mandatory, just if you want to use 2 factor identification. If they wanted to be like mt. gox and control everything, they could, but I think it would be best if we could just purchase the yubikey from yubico as to protect our identity.
I think it would just add one more layer of much needed security...
-
Why not? Granted, it would cost a little bit of money, but the security and peace of mind is well worth the 25 bucks that a yubikey costs. I know that they can make yubikey work with multiple sites, etc. Mt. gox's key will only work with mt. gox.
This. SR can easily set up their own YubiKey authentication server, users can buy the keys directly from Yubico and link the keys with their SR accounts themselves. There's no need for SR admins to get involved with shipping.
-
...65,000 times of what -logging? -logging of what ?
-
...65,000 times of what -logging? -logging of what ?
Logging in. The usage counter has a max value of 0x7FFF = 32,767. So if you connect it 5 times a day, 365 days a year - it gives you 18 years of usage.
-
...sounds like a pointless feature unless the manufacturer intentionally wanted it to have a limited life-span....i haven't read up on the yubikey...don't know when last i heard this being an issue with a security device....
-
...sounds like a pointless feature unless the manufacturer intentionally wanted it to have a limited life-span....i haven't read up on the yubikey...don't know when last i heard this being an issue with a security device....
All USB devices have a limited life-span, including the YubiKey. This has nothing to do with whether the YubiKey is a good security device.
-
Like all encrypted devices, there is a maximum amount of keys it can generate. the yubikey can generate 65k different keys. you only need to use it at the max 3 or 4 times a day. that would give you many years of use. like someone said, you would probably lose it before you used the the keys. If you get close to the max, just order a new one. they are like 25 bucks.. so 25 bucks every 10 years or so (or 20) isnt too bad.. Or, buy 2 or 3 at first, then you would be set for a lifetime...Or 2 or 3 lifetimes..
-
'ello
i'm not entirely convinced...
i spent some time looking up this product...
you need an authentication server, either an already running public server or your own java or php version = more server hardware = money...ok...
why does the yubikey password need to be unique?
the security fob needs to authenticate the user which in turn allows him access to certain apps.
a server has x amt of known keys configured on it for x amt of apps, i couldnt care less what another yubikey in a tiny village in china is doing with his as long as the yubikey can be identified and is configured to access my Company specific apps.
why on god's earth would i need a unique password for every session and increment a counter which equals 1 less use of the key? and i suppose if you have problems with it the entire day plug in unplug plug in....so thats 50 times = 50 sessions ?!?
i think challenge response type fob, that uses and generates no's based on a algorithm works.
i really didnt get the point of the product nor why i would need to buy it over competing products, all i got was there WERE SPECIAL BYTES RESERVER FOR THIS SPECIAL BYTES FOR THAT and that a unique password was entered for every session.
aside from the massive technical breakthru of having these special bytes on a chip it seemed to be an incredibly cheap product that had a limited shelf life and is being sold at an extremely high markup.
sounds like the people needing to buy a yubikey should rather settle for the chip embedded in their head and be done with it,
a usb key must cost less than $1 to manufacture/
:(
-
'ello
i'm not entirely convinced...
i spent some time looking up this product...
you need an authentication server, either an already running public server or your own java or php version = more server hardware = money...ok...
why does the yubikey password need to be unique?
the security fob needs to authenticate the user which in turn allows him access to certain apps.
a server has x amt of known keys configured on it for x amt of apps, i couldnt care less what another yubikey in a tiny village in china is doing with his as long as the yubikey can be identified and is configured to access my Company specific apps.
why on god's earth would i need a unique password for every session and increment a counter which equals 1 less use of the key? and i suppose if you have problems with it the entire day plug in unplug plug in....so thats 50 times = 50 sessions ?!?
it increments a value by 1 and ends it can't generate more than 65536 / 65k unique keys, answer don't try generate a purely unique key generate a value that is unique for the installation or the session, the purpose is to verify the user for the moment not what a yubikey did last week and the unique key OR password it generated then.
i think challenge response type fob, that uses and generates no's based on a algorithm works.
i really didnt get the point of the product nor why i would need to buy it over competing products, all i got was there WERE SPECIAL BYTES RESERVER FOR THIS SPECIAL BYTES FOR THAT and that a unique password was entered for every session.
also know its a usb device with a button on it...
aside from the massive technical breakthru of having these special bytes on a chip it seemed to be an incredibly cheap product that had a limited shelf life and is being sold at an extremely high markup.
i am not looking for a single key that verifies me for every single app i use including internet and SR at the same time, the people needing this should rather settle for the chip embedded in their head and be done with it,
from experience for every and any fingerprint / hardware security fob ever designed -how well will it work with all the apps it claims to cover, how many vendors will take it up, how many will get it right, would they be comfortable with having to lookup auth the security with a common server.
:(