- From: Kenneth Rohde Christiansen via GitHub <sysbot+gh@w3.org>
- Date: Tue, 11 Feb 2020 13:40:22 +0000
- To: public-web-nfc@w3.org
kenchris has just created a new issue for https://github.com/w3c/web-nfc: == YubiKey NDEF analysis == NDEF can be considered post it notes. Things stored are as good at public information, so if you want to make sure that your content is only readable by certain parties, then make sure it is encrypted. That brings us to security keys like YubiKey that can expose things over NDEF: https://support.yubico.com/support/solutions/articles/15000006432-understanding-the-ndef-interface-on-nfc-enabled-yubikeys - One time passwords - Static passwords - OATH-HOTP One time passwords are safer than static passwords as they are time restricted, often down to a few seconds. Static passwords are not safe to generally make public (like adding them to an NDEF record or a post it note) which is why YubiKey also makes it clear that they should part of your password (thus basically a less safe second factor like authentication): https://support.yubico.com/support/solutions/articles/15000006480-understanding-core-static-password-features Thus the NDEF support in YubiKey is only intended to compliment an existing password, and thus add additional security. We could argue that allowing static passwords is a really bad idea as NDEF is not considered safe, but it has been Yubico choice to do so and they warn against it and it is an advanced setting that manually needs to be enabled. Please view or discuss this issue at https://github.com/w3c/web-nfc/issues/543 using your GitHub account
Received on Tuesday, 11 February 2020 13:40:24 UTC