Today I my Yubikey arrived in the mail, which is a hardware token (what you have) used for multi-factor authentication. It is by default tied into their cloud web authentication service, allowing you to authenticate a device via a OTP over simple RESTful APIs. They have a number of libraries, and plugins, one of which is for WordPress, allowing for two-factor authentication to login to the blog.

For those of you who are extra paranoid, they also provide libraries to parse the OTP responses to host your own validation server, and you can generate your own keys to store on the device (it stores up to 2). It can be configured to generate driver-less (well, HID keyboard) Yubico OTP, static passwords (for long, passwords), HMAC-SHA1 responses.

I’ve decided to use the HMAC-SHA1 challenge-response configuration on the second slot for a guarded data store, where the data is encrypted by the HMAC response to a given challenge, and on each decryption, re-encrypted with a a different challenge-response pair. This will allow for the Yubikey to enable network-less protections. From there I’d like to extend that to the existing Linux FDE Yubikey solution. I certainly will be standing on the shoulders of giants in terms of my contributions, but I hope they will be well received.


Peace and chow,