Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I see private key within Yubikey the same as TOTP secret. Ok, for TOTP it is stored on host, but as you said: "you don’t need to know the secret"

When I press button on yubikey, it pastes some jibberish - way more than 6 chars, but can't THAT token be re-used?

Okay, browsers have some integrations with this stuff so it is not always some kind of a web form where that goes into, so could be a bit more secure.

I'm no security expert, I'm just thinking out loud and hoping someone educate me :)

Yeah, the end result (whatever header value or cookie in browser) is still readable by malware.



> When I press button on yubikey, it pastes some jibberish - way more than 6 chars, but can't THAT token be re-used?

Just to be clear, that's not related to FIDO which I was originally talking about. That's one of the extra OTP features that most Yubikeys come with, but it's unrelated to the Yubikey's FIDO capability.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: