Open main menu

CDOT Wiki β

Yubikey Proposal

Yubikey is a two factor authentication mechanism that uses USB dongles to provide an encrypted password that is then decrypted by the machine and checked against an database on a server.

Pros/Cons

  • PROS
    • No drivers required
    • Two factor authentication is more secure
    • Easy integration
    • Cross Platform
    • Flexible, can be tied into many existing systems
    • Open source server implementation
    • Cheap to implement
    • Multiple Authentication options
    • Resistance to keyloggers
  • Cons
    • Requires Additional Infrastructure
    • Authentication server can be imitated
    • Does not offer real data security in case of machine theft
    • Physical object (Can be stolen/lost)
    • Additional administration and tracking required to distribute dongles

Considerations

Best used in conjunction with other technology, eg: Full disk encryption, kerberos Can be programmed to use a one time password mechanism or a reusable password that is concatenated to the end of a typed in password

Both require the yubikey to log in, the latter being easier to configure but the former being more secure

Conclusions

Adding yubikey authentication to our existing infrastructure does increase authentication security, however it does little for physical security of machines. It's cross-platform nature makes it simple to integrate in our existing Windows, Mac and Linux computers and servers.