 |
March 28, 2013, 06:59:30 PM |
|
Would say Yubikey.
Reason: Google Authenticator is a softtoken. This means that it can easy be duplicated with anyone that has physical access to the token. With that, I say that screen lock on the phone is NOT enough, since content is not encrypted. Encrypting the phone and TURNING OFF the phone EVERYTIME you leave it behind will work. However, if someone was to sniff or figure out the encryption password will still be able to duplicate token without you noticing.
Note that copyng the token means copying the secret HMAC key stored in the android files, NOT simply copying token codes.
A problem is also that its a time-based token and not a event-based token. This means you will not notice if someone has unauthorizely used codes from a copied token, since both tokens will be roughtly in sync.
A event-based token will however desync if a code from a copied token is used, so your own codes will struggle. Also, its easy to detect unauthorized usage and infer a action, like locking the account until the key in the token has been refreshed via a secure means of authentication.
In other ways, as soon as you leave the phone in a unsupervised space for even a couple of minutes - you need to regard the phone as "compromised".
-------------------------------------------------
A yubikey however, is a hardtoken which is event-based. This gives both singularity and security against copied codes. Also theres additional security in Yubikey: A clock that is started on powerup and stopped at powerdown, which pretty presicely measures the time lapsed between 2 generated codes. This means the server can verify that the codes was presented with roughtly same interval as they was generated, which means its almost impossible to use codes copied into a notepad document and then used later.
The good with singularity is short of this: You can put the token on a bench on Metro Station, then wait a couple of months, and then come back and take the token, and still be secure. (Of course, somebody could have used token while it was lost, but once you have it again, you can be sure its secure since the token is UNCOPIABLE)
Its like car keys: You lend out the car and give the car keys to the lender.
Once you take back car keys you can be sure nobody else than you can open your car.
This also means a great possibility to give out temporarly access without risking somebody copying that access and storing it indefinitely.
Eg: You lend out a account with 1BTC on. You can later be sure that when you have got back the YubiKey and then fill the account with
10 000 BTC, you can be sure that the person that lended your youbikey CANNOT technically hold a copy of it.
So basically, once you program Yubikey with a AES key, it can never be retrieved, only overwritten.
-------------------------------------------------
A google authenticator token can be made secure by using a secure mobile micro-SD card with a built-in smartcard chip, that
can used to protect the HMAC secret. Then you get both the simplicity in having the token in a device you always have with you, and
the security in that the token is uncopyable since the secure smart-card microSD will not allow the HMAC key leave the card, only
give a access code that match a time.
If the microSD card also contains a secure clock, it can prevent codes from generated to the future.
|
