[web-nfc] YubiKey NDEF analysis (#543) from Kenneth Rohde Christiansen via GitHub on 2020-02-11 (public-web-nfc@w3.org from February 2020)

From: Kenneth Rohde Christiansen via GitHub <sysbot+gh@w3.org>
Date: Tue, 11 Feb 2020 13:40:22 +0000
To: public-web-nfc@w3.org
Message-ID: <issues.opened-563213694-1581428421-sysbot+gh@w3.org>

kenchris has just created a new issue for https://github.com/w3c/web-nfc:

== YubiKey NDEF analysis ==
NDEF can be considered post it notes. Things stored are as good at public information, so if you want to make sure that your content is only readable by certain parties, then make sure it is encrypted.

That brings us to security keys like YubiKey that can expose things over NDEF: https://support.yubico.com/support/solutions/articles/15000006432-understanding-the-ndef-interface-on-nfc-enabled-yubikeys

- One time passwords
- Static passwords
- OATH-HOTP

One time passwords are safer than static passwords as they are time restricted, often down to a few seconds. Static passwords are not safe to generally make public (like adding them to an NDEF record or a post it note) which is why YubiKey also makes it clear that they should part of your password (thus basically a less safe second factor like authentication):

https://support.yubico.com/support/solutions/articles/15000006480-understanding-core-static-password-features

Thus the NDEF support in YubiKey is only intended to compliment an existing password, and thus add additional security. We could argue that allowing static passwords is a really bad idea as NDEF is not considered safe, but it has been Yubico choice to do so and they warn against it and it is an advanced setting that manually needs to be enabled.



Please view or discuss this issue at https://github.com/w3c/web-nfc/issues/543 using your GitHub account

Received on Tuesday, 11 February 2020 13:40:24 UTC