Yubikey + Keepass using Challenge/Response v/s Yubikey + Keepass using OTP - Which is More Secure?

450    Asked by AndrewJenkins in SQL Server , Asked on Dec 9, 2021

I use a Windows 10 PC and an Android phone with Keepass.

However, now I’d like to add a second factor on top of my master password that works with both Windows 10 and my Android phone. Between the two support methods of authentication, which one is more secure?Yubikey + Keepass 2 using Challenge/Response Yubikey + Keepass 2 using OTP Thanks in advance.

Answered by Ankur vaish

One important difference between Yubikey + Keepass with OTPs and Yubikey + Keepass with challenge/response schemes is that the Yubikey + Keepass with OTPs can be spoofed, and the Yubikey + Keepass with challenge/response cannot. Suppose somebody sets up a phishing UI for KeePass, and you enter your password into it without realizing that it's not the legit one. The attacker realizes that the password isn't enough, you have MFA enabled. So far, so good.


If you use Yubikey + Keepass with OTP, though, all the attacker needs to do is show the usual OTP entry box. You tap your Yubikey, it sends the OTP to the attacker, attacker forwards it to KeePass, and boom they've got access to your KeePass vault. If you instead use Yubikey + Keepass with Challenge/Response, then Yubikey's response is based on the challenge from the app. The attacker doesn't know the correct challenge to send for KeePass, so they can't spoof it.

Note that this distinction probably doesn't matter that much for a thick-client local app like KeePass, but it definitely matters for anything that does remote authentication. For example, if you're logging in to a web app like Gmail, a phishing page can spoof the login UI and the OTP UI just fine. However, a phishing page cannot spoof the challenge/response flow, because that's based on the actual site being visited, and your browser (and therefore the Yubikey) will send a different challenge even if it looks the same to you.

In fact, challenge-response systems like this are the only method I know of that provides pretty strong security against phishing attacks. Everything else involving a true second factor - OTP, SMS, even push notifications - can be spoofed, and you will take the approval the authentication check just like normal because, as far as you know, you are logging in just like normal.



Your Answer

Interviews

Parent Categories