Bitcoin Forum
July 07, 2015, 11:05:12 AM *
News: ♦♦♦ If you are using any wallet other than Bitcoin Core 0.10.x or 0.9.5, then you should not trust incoming transactions until they have ~30 confirmations. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Yubikey cross-service security?  (Read 540 times)
No_2
Hero Member
*****
Offline Offline

Activity: 716


BTC: the beginning of stake-based public resources


View Profile WWW

Ignore
April 18, 2013, 01:41:38 PM
 #1

Some websites - e.g. MTGOX - only issues Yubikeys from themselves which are locked to one account only. They state this is done for security purposes as if a Yubikey is used on multiple accounts with different providers one of the providers can use your code to log into another account with another provider.

I am therefore wondering if it is best practice to have one key per provider or if it is ok to use one Yubikey with multiple different accounts and providers.

Can anyone clarify why this is?

Please Like or Follow MetaLair; we are promoting Bitcoin awareness and are building a decentralised exchange. We need your support.
Twitter: @MetaLair | Facebook | Google+
Lists: All Physicals Minted | UK Organisations Accepting Crypto | UK Organisations Accepting Crypto (reddit) | Payment Methods
1436267112
Hero Member
*
Offline Offline

Posts: 1436267112

View Profile Personal Message (Offline)

Ignore
1436267112
Reply with quote  #2

1436267112
Report to moderator
1436267112
Hero Member
*
Offline Offline

Posts: 1436267112

View Profile Personal Message (Offline)

Ignore
1436267112
Reply with quote  #2

1436267112
Report to moderator
You can see the statistics of your reports to moderators on the "Report to moderator" pages.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1436267112
Hero Member
*
Offline Offline

Posts: 1436267112

View Profile Personal Message (Offline)

Ignore
1436267112
Reply with quote  #2

1436267112
Report to moderator
1436267112
Hero Member
*
Offline Offline

Posts: 1436267112

View Profile Personal Message (Offline)

Ignore
1436267112
Reply with quote  #2

1436267112
Report to moderator
1436267112
Hero Member
*
Offline Offline

Posts: 1436267112

View Profile Personal Message (Offline)

Ignore
1436267112
Reply with quote  #2

1436267112
Report to moderator
1436267112
Hero Member
*
Offline Offline

Posts: 1436267112

View Profile Personal Message (Offline)

Ignore
1436267112
Reply with quote  #2

1436267112
Report to moderator
montdidier
Newbie
*
Offline Offline

Activity: 19


View Profile WWW

Ignore
April 21, 2013, 11:34:37 AM
 #2

They are correct in their assertion, presuming an untrust worthy service provider. If I were them I would not allow my security to rely on the skill or goodwill of others.

It would be best practice. Especially if you are effectively only using it as a password i.e. single factor authentication.

The danger is that a site you are logging in to will reuse your login details to access another site you might also use. Effectively your classic man in the middle attack.

---
The contents of this universe may expand.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!