Jump to content
bdl

Support Yubikey challenge-response (offline) second-factor

Recommended Posts

Some hardware auth tokens such as Yubikey support a challenge-response mode. i.e. you initialise the token with a secret which is henceforth only available to the token (backup of the key excluded). You take the user's password and send it as the challenge to the token, which calculates a HMAC using the key and returns the response, which is used as the database password.

e.g. https://sourceforge.net/p/passwordsafe/discussion/134800/thread/7463e2a3/#7e4e

It'd be neat if enpass supported this.

  • Like 2

Share this post


Link to post
Share on other sites

@Bill Rossum: the challenge-response mechanism isn't U2F (that's targeted to web authentication).

From what I can tell the Ledger device does support a challenge-response mode (used in the Windows Hello authentication feature), so I guess enpass could support that - or someone could write a Ledger app to emulate the Yubikey-style challenge-response protocol: https://github.com/Yubico/python-yubico/blob/master/yubico/yubikey_usb_hid.py#L491. The latter would be better as it'd give you support for all the other services that use Yubikey challenge-response (e.g. the PAM module, LUKS disk encryption, etc).

Share this post


Link to post
Share on other sites

We know that it should be for web app but if you say was the ONLY usecase then

-> we wouldn't use it to auth in windows 7 locally

-> we wouldn't use it to auth in keepass locally

-> we wouldn't use it to auth to QubesOS and decrypt the device LOCALLY

Should I continue?

Yubikey CAN and SHOULD be used to decrypt encrypted assets in ALLL password manager

Share this post


Link to post
Share on other sites

We‘re searching an password manager since a while. 1password was our first idea but we don‘t buy software subscriptions … so we came to Enpass – but a 2FA with Hardwaretoken (offline) is a must – not allowed to use something else because of contracting reasons. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...