Can I leave my Yubikey plugged in?

[Spekulatius]

Can I leave my Yubikey plugged into my computer while its running and connected to the internet?

Thats what I`ve been doing all the time, for its comfortability.

Or should I rather plug- and unplug my key as soon as I logged in to MtGox?


Thanks for clearing this up, Ive been asking this myself for month.

[Revalin]

It's fine to leave it plugged in.  It only authenticates when you touch the button.

[Stephen Gornick]

It's fine to leave it plugged in.  It only authenticates when you touch the button.

There might be reason to be paranoid.

There haven't been reports of any physical thefts occurring yet, but you could be making yourself a target if you do this.

The operating system knows if the device is plugged in.  If your system is compromised, the attacker knows then that you leave your Yubikey plugged in.  Also knowable is your IP address (and probably your physical address using some account you access), and probably known is your balance at the exchange, and your username/password there as well.

This makes a physical burglary to become more likely as doing so would likely be successful in acquiring the bitcoins.

If the attacker / thief doesn't know where your Yubikey might be (e.g., do you carry it with you on your person, or is it kept locked up, etc.) then a risky burglary is less likely to occur.

[Spekulatius]

OK, but remote phishing of the key string entered is not possible then, at least as possible to the same extend, as plugging it in and pressing the button anymway?

[Revalin]

Correct.  It's safe against viruses and hacking.  Someone coming to physically steal it is only a concern if you have a really large account.