However, at the time of writing, Mozilla's Firefox browser doesn't support FIDO U2F. There are several services that make use of FIDO U2F, like Google and GitHub. The last mode is U2F, which makes use of the FIDO U2F standard. (Note: The YubiKey 4 supports 4096-bit keys in CCID mode, but lacks NFC capability.) If you have a 4096-bit key, you can get around this by creating 2048-bit signing, authentication, and encryption keys and moving those onto your YubiKey using GnuPG. The only setback to this mode is that the YubiKey NEO (and NEO-n) only support 2048-bit RSA keys. By extension, it also means that you won't have to move those keys to your PC. For those who use OpenPGP/GnuPG, this means that you won't have to carry around private and public key-files on a FAT32-formatted USB stick-though you should always keep a backup of your private key somewhere secure like a USB stick in a locked box.
In CCID mode, the NEO can store OpenPGP keys for use on different PCs. The second mode that the NEO and NEO-n can use is chip card interface device mode, or CCID. In this manner, the OTP mode basically serves as a second username and password, in which the password (nonce) for the YubiKey changes every time it's used. If the service gets the okay from Yubico, access is granted. When the string is supplied to the service (like LastPass), the service checks it against the Yubico cloud to authenticate the string. The rest of the string is a unique code made up of a cryptographic nonce. The first few characters of the string is the YubiKey identifier and always remains the same. In this mode, the YubiKey supplies a string of characters.
Services that use OTP authentication (like LastPass) make use of Yubico's cloud service to authenticate YubiKeys. (Older firmware only allowed the user to enable two at a time.) All YubiKeys (with the exception of the $18 blue Fido U2F Security Key model, which only has FIDO U2F support) ship with one-time password (OTP) mode enabled by default.
The YubiKey NEO and NEO-n have three modes of use, and you can enable all of them at once with the newer firmware. (If you have a NEO and a NEO-n, they will give different responses to whatever service is requesting input.) The devices also register as HID keyboards by default, so they will work without having to install any drivers. Each YubiKey is unique, and will have to be paired with services separately.
0 kommentar(er)
