Quote:
Originally Posted by TenFour
But doesn't having a backup via SMS and/or email defeat the purpose of the Yubikey? Can't hackers just use the backup methods too?
|
This is something that has concerned me a bit, too. I don't use SMS for FM but have the Duo authenticator as a second factor for use with the iOS Fastmail app, which I sometimes use. Can't use Yubikey with my iPhone 5s. So then, as you point out, if attacking Duo is easier than attacking the Yk, then that's the vector they will choose. But really, I think you only have to worry about this if you are being individually targeted by a Five Eyes-level state actor
Does anyone know if it's possible to, say, reject anything other than Yk as second factor when accessing from a PC browser? I would be ok with that, even if it means that worst case I am locked of my mail for a while. I have two keys, stored separately. I really only want Duo as the second factor for iPhone app access, but once I configure it, it seems to make itself available everywhere.
Anyway, at least I'm not dependent on SMS
I don't like to use SMS as a second factor, but my bank, for instance, only offers this. I have asked them to put something more secure in place, like Duo or Google Auth app, but they haven't (not surprisingly).
I too am using the Yk with Firefox post-57, so you are not limited to Chrom(ium). Works with FM on Firefox, but Facebook doesn't. I do use the Yk with Facebook as well, but have to use Chromium, because they don't support Firefox.