2 factor non-SMS hack question

Discussion in 'privacy technology' started by Soft Life, Jul 29, 2019.

  1. Soft Life

    Soft Life Registered Member

    Aug 10, 2018
    United States
    If a hacker was to try to crack the code of a encrypted Bitwarden or anything for that matter, and there were an Yubi-Key attached to it, how would that affect the hackers ability to see the encrypted files? If you put two encrypted files in front of a hacker would it matter if one was yubikey protected? If the hacker has his hands on the files already and he is trying to bust in what good at that point would a yubikey do? It's not like the question will pop up to the hacker and state, please enter your key?

    Does the youbikey affect the encryption of the file is my question.
  2. Palancar

    Palancar Registered Member

    Oct 26, 2011
    This depends upon the code written/used by the company providing the encryption. Yubikeys are U2F (but with some means to identify the holder of the key). I may have published a paper or document about Yubi's as a form of U2F. Let discuss U2F, not specific to Yubi's. In a properly encrypted vault I can hand you my password and username but not my U2F key and you would have NO ability to open my vault.

    Lets use Gmail/Google as an example here: You can setup your Gmail to allow login only with a physical device along with your username and password. That is what I do with my actual name Gmail accounts. Those physical devices are selected by you the user. Availability of devices are both U2F and Yubi's, along with other good but less secure items such as TOTP access, etc..... The only slight difference between Yubi's and pure U2F is that it is possible to track the Yubi because it handshakes a code specific to that one device. This is NOT a security risks that would allow a hacker into your account by any known means. Its only different in that a pure U2F element such as the Security Key with NFC by Yubi does not transmit any identifier to a website that might be tracked.

    Properly written code would not allow a hacker to know a U2F key is needed for access, unless they had your username and password and the site then asked for the key to finish authentication.

    You specifically asked about Bitwarden so I'll share what I have read about their cloud service. The code is zero knowledge so only the user can access their vaults based upon opening them on their devices not in the cloud (Microsoft Azure). You need a U2F to download the file from the cloud service. If however you were to somehow acquire the file on your device I don't think you need U2F from there. A strong password is secure, but as written the U2F security does not extend beyond the cloud container. This is not the best it could be. I forward that my study of their code is second hand and I only report what I have read. Disclaimer: I do use Bitwarden and find it secure. I use a crazy master password, but I do wish the U2F protocol was improved upon.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.