Monday, 27 February 2012

Yubico / Yubikeys

I'm impressed.

I have small keyring with a USB memory stick, 2 yubikeys and a cofee machine cashless RFID key on. Stupidly I left said key in the vending machine. The system operators at work collected it and set about finding the owner. 1st up, they discovered that they can't read any files off yubikeys (heh) but googled the image and found the manufacturers website and said they had found serial #.... and #.....

Having spend the last 2 days rummaging in car / home looking for it, I got an email from yubico saying that <email> had found my key, based on the serial no of the one I purchased. Work also got an email for the other serial no, which they traced to me.

I'm *very* impressed by this level of attention at yubico, and it means when distributing keys within the business it pays to keep track of the serial no (printed under the 2d barcode).

It does raise the question of how (if) one should notify yubico if they're passed on - especially if I overwrite the yubi profile (as I have done) to prove that I am the rightful owner of the key.

Things to consider with revocation / blocking, especially with a distributed architecture like Fedora....

No comments: