Silk Road forums
Discussion => Security => Topic started by: philter3 on April 22, 2012, 07:26 am
-
What is the significance of Yubikeys in SR's product listings?
Specifically.. what is the utility of something like this? I am not wanting to pry into a vendor's custom listing.. but could some of the older hands give me a vague example or two of what sort of services or use to a buyer might be offered via Yubikey?
Forgive my addled brain.. it's the day after the Highest Holy Day of the Year.
-
What is the significance of Yubikeys in SR's product listings?
Specifically.. what is the utility of something like this? I am not wanting to pry into a vendor's custom listing.. but could some of the older hands give me a vague example or two of what sort of services or use to a buyer might be offered via Yubikey?
A YubiKey provides secure login and two factor authentication to networks and services that are using the YubiKey libraries. Silk Road does not, as far as I know, provide users with the option to log on using the YubiKey.
-
Mt gox uses them :p
-
For additional account security, Silk Road is currently beta testing their own Yubikey authentication server.
-
For additional account security, Silk Road is currently beta testing their own Yubikey authentication server.
How do you know? Has this been announced anywhere?
-
How do you know?
I'm an alpha tester. ;)
-
Shabang,
This is very interesting. *ALWAYS* interested in new ways to enhance security.
http://silkroadvb5piz3r.onion/silkroad/item/71ce6c1c96
So this would replace a typical login? Or would it supplement the present login system?
-
Using a Yubikey is part of a process known as 'Two Factor Authentication' which combines two things; something you know, which would be your password, with something you have, which would be the Yubikey.
Rather than replacing the standard login, it adds to it. You need to enter your username and passphrase as you normally would, as well as activate the Yubikey to send a 'One Time Pad' single-use code to be verified in order to sign in. If you don't know the password, or don't have the Yubikey in your possession, you can't sign in, significantly reducing the chances of unauthorized access to your account.
-
Yubikey is a 2 part authentication method. Easy example is let's say your password is HotSexyHoes. Not sure on yubikey, but I own a ironkey which also has same technology. It's called a one time password. When you login you would have to enter your known typed password, HotSexyHoes & the yubikey will also generate a 6 digit number one time password that you have 30 seconds to use. So you would enter HotSexyHoes123456, where 123465 is your random 30 second password generated by your token key.
I would LOVE to see SR implement this. However it is not without a downside. If you were ever in trouble with the law & they did confiscate your yubikey & tie it to your SR act, that would be bad news bears.
I personally own a ironkey which has the same technology, i believe they are just licensed with verisign. It only works with verisign enabled sites, which i'm sure SR would never be apart of, so I would have to have 2 keys which is kind of a pain in the ass, but I may do it as extra security is never a bad thing.
You know what I also thought about as well is with the purchase of my new lenovo laptop is that it has a built in finger print reader. I haven't got it to mess with it yet, but you guys think that would be a good idea or bad idea to have your fingerprint tied to your SR account. I was thinking 2 factor authentication, like password + fingerscan. I think you have to support the correct libraries for it though & i'm not sure if SR does.
-
I would LOVE to see SR implement this. However it is not without a downside. If you were ever in trouble with the law & they did confiscate your yubikey & tie it to your SR act, that would be bad news bears.
What worries me is that SR are setting up their own YubiKey authentication server, which will make it even easier to link a specific key to a specific site. If they used the same authentication server as a number of other projects, it would be a whole other story. Another issue is that SR will have to (I believe, someone please correct me if I'm wrong) send out keys to everyone that have been pre-configured to authenticate with SR's own server.