I bought a Yubikey now what: Using OATH-TOTP with KeepassXC
Вставка
- Опубліковано 6 жов 2023
- In previous video I explained how you can use your second slot of your yubikey to store a static, long, password. That usage is not optimal, a better and more useful use is using OATH-TOTP algorithm to secure a KeepassXC database. In this video we will examine this solution and you can understand how to secure your password with a password manager that simply use an encrypted file sto store your password adding yubikey hardware protection.
Timeline
00:49 - Introduction to OATH-TOTP
02:12 - Configuring the key
03:25 - Small introduction to KeepassXC
05:31 - Protect KeepassXC with Yubikey
6:54 - Opening archive protected with the Yubikey
07:59 - Testing restore of a backupt of the OATH-TOTP seed
10:02 - Conclusions - Наука та технологія
The best. Thanks
Very useful. Thanks
In a other Video u mentioned that the Yubikey FIDO2 PIN can be stored in KeePass, so in this case, i cant secure Keepass with Yubikey because to get the PIN i need the PIN, is that correct?
If you have only one key you are correct, if you have more than one key you can use yubikey with keepass.
Using the key for keepass does not require pin, because it is just another layer of security over the standard password
Wouldn’t it make sense to setup the hmac-sha1 challenge response on your yubikey using an air gapped machine? Seems risk to display the secret on screen in plain text!
The machine where you setup the key must be secure, maybe an air gapped is a too strict requirement, but on the other end of the spectrum I’d never setup the key on a shared computer
Great video, man! Appreciated. One question: Currently I use an extra file to work in conjunction with my password because I find them easy to backup and inconspicuous. I would like to use the Yubikey as an added layer of protection but for what I saw I would have to choose between the file and the Yubikey? I am thinking on updating to a yubikey bio because it offers more protction if anyone wanted to use the Yubikey. Cheers.
You are right, Yubikey can be used in substitution of extra file, and it is generally more secure. The yubikey bio can be more secure because you do not need to remember a pin, but usually the pin is enough, so I never bough a bio (I have a feitian with bio that I got at a conference, is easy to use because you do not need to type the pin and if you are in a crowded place nobody can try to understand the pin you are typing).
@@codewrecks Thank -- I tried it and actually you do not have to choose between the file and the Yubikey. You can use both, making your PassKeyXC very secure! I am very happy with this.
You can use password, keyfile and Yubikey at the same time.
@@janepko Thanks mate, yes I realised that. Great setup for maximum security :)
Is there any difference whether you configure the yubikey challenge response via CLI or GUI version of the ykman?
No difference and usually there are some functions that are cli only