Jump to content
bdl

Support Yubikey challenge-response (offline) second-factor

Recommended Posts

Some hardware auth tokens such as Yubikey support a challenge-response mode. i.e. you initialise the token with a secret which is henceforth only available to the token (backup of the key excluded). You take the user's password and send it as the challenge to the token, which calculates a HMAC using the key and returns the response, which is used as the database password.

e.g. https://sourceforge.net/p/passwordsafe/discussion/134800/thread/7463e2a3/#7e4e

It'd be neat if enpass supported this.

  • Like 2

Share this post


Link to post
Share on other sites

@Bill Rossum: the challenge-response mechanism isn't U2F (that's targeted to web authentication).

From what I can tell the Ledger device does support a challenge-response mode (used in the Windows Hello authentication feature), so I guess enpass could support that - or someone could write a Ledger app to emulate the Yubikey-style challenge-response protocol: https://github.com/Yubico/python-yubico/blob/master/yubico/yubikey_usb_hid.py#L491. The latter would be better as it'd give you support for all the other services that use Yubikey challenge-response (e.g. the PAM module, LUKS disk encryption, etc).

Share this post


Link to post
Share on other sites

We know that it should be for web app but if you say was the ONLY usecase then

-> we wouldn't use it to auth in windows 7 locally

-> we wouldn't use it to auth in keepass locally

-> we wouldn't use it to auth to QubesOS and decrypt the device LOCALLY

Should I continue?

Yubikey CAN and SHOULD be used to decrypt encrypted assets in ALLL password manager

Share this post


Link to post
Share on other sites

We‘re searching an password manager since a while. 1password was our first idea but we don‘t buy software subscriptions … so we came to Enpass – but a 2FA with Hardwaretoken (offline) is a must – not allowed to use something else because of contracting reasons. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×