![]() Has no identification on the device as to what accounts it was used with (e.g.Can be used with a truly unlimited number of accounts.Has limited functionality to protect against or alert if the device is cloned.Is resistant to phishing and replay attacks (Google has had tens if not hundreds of thousands of employee/contractor accounts protected without a single known incident of phishing being successful).both would be hard to compromise but U2F is much harder With HOTP - Once you use a code, you know any previously generated codes are invalid.With TOTP - Is time limited (mostly, a person may be able to generate codes in the future if they access your device).Can be put onto multiple devices regardless of how the site you're using it on is set up.You can use it on a laptop that has no accessible USB ports or has them disabled due to a company policy In the case of Yubico Auth, you would have to use it with a phone (or pc), but you wouldn't have to use it with the device you're logging in to. Doesn't require you to physically use a key with another device.Very wide support, especially compared to U2F.six digit pin that changes every 30 seconds) vs U2F (requires an NFC tap or plugging in to a USB port) Less likely to be damaged or stolen than a phone.Can be moved between your own devices (a single key can be used on two phones, a phone and a desktop, whatever).Can be used on a new device effortlessly (your phone breaks, or you get a new one, just use the Yubikey on that, or at your friends).It's basically impossible to extract the secret from the Yubico device and clone it.Can be locked/unlocked with fingerprint/pin/whatever (this ends up being basically 3 factor, or 2.5 factor).Can store an unlimited number of credentials.You may have your phone handy more often than your keys/yubikey.Google Auth Pros (or similar applications): Usability can vary depending on the device used and situation. TL/DR: U2F will give you the best security protections, OATH on a Yubikey next up, and OATH on a phone the least security of the three (which doesn't inherently mean it is insecure). Here is a comparison on Google Auth vs Yubico Authenticator App with a Yubikey Can someone explain to me what am I missing? I see the Yubikey as having one less layer of security. Yes, I understand this would need to be a targeted attack, and they would need physical access to my Yubikey in order to pull this off, but it is an attack that I don't see them being able to pull off with an authenticator app that needs authorization. So, anybody with my account password and access to my keyring could access my account. The Yubikey doesn't appear to have this additional layer of protection. ![]() My argument is, with my authenticator app, not only do I physically need to have that device in my hands, but I also need to verify it is me by providing a fingerprint or pin credential before I gain access to my authentication codes. Is the technology designed in a more secure manner, or it is simply the convenience of not having to open an authentication app, look for the key and type it in? It seems like anybody I talk to that knows what the Yubikey is claims it is "better" but cannot give me reasons why. I'm trying to understand the advantages of having a Yubikey versus an authenticator app. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |