YubiKey gpg/ssh: Great security but tricky install

After deploying security keys to their 50000 employees, Google took a look at their experience. Their 2 year study concluded that key-touch login was great: scalable, efficient to use, less prone to user error, accessible for impaired users, providing solid security at negligible cost. (See http://fc16.ifca.ai/preproceedings/25_Lang.pdf ).

“If it works for Google” … Just couldn’t wait to try my YubiKeys with gpg/ssh … Turned out to be slick and smooth to use - but with potential to be somewhat technical to install!


YubiKeys demystified

When I saw the Bloodhound Developer use his YubiKey at Black Hat to access Github (in front of hundreds of people), I knew then I had to get a YubiKey of my own!

This article documents some of the initial “hands-on” experience – with accompanying comments and conclusions.


LastPass, Duo, Google “Push” for 2FA

Came back from Black Hat / Defcon all fired up about 2FA (“Two-Factor Authentication”).

I was particularly impressed when the Bloodhound developer used his YubiKey to access GitHub in front of all the hackers, er,  security people.

So decided to take a quick look at LastPass, Duo, as well as Google’s new Push 2FA. The result is this 3-part series.

LastPass (or is it LostPass?)

LastPass has great Password Management function. But would a better name have been “LostPass”? This article takes a quick look.

Duo: Here-a-Push, There-a-Push, Everywhere a Push-Push

Duo innovated with their 2FA (“Two-factor Authentication”) using mobile Push notification.

Although Duo’s primary focus is corporate, they have a great “freemium” version that is useful for SMBs as well as individual users.

This article takes Duo out for a test drive as well as a technical dive into Duo ssh configuration.


Black Hat USA 2016 and defcon 24 - The Last Word

This year's BH and Defcon were historic. Nothing less.

It was truly "The Rise of the Machines".

defcon 24 - Notes for Friday 2016-8-06

Defcon sure has changed since the last time I was there.
This blog post has my notes from defcon 24 Friday 2016-8-06.