From Whonix

< Dev

authentication to arbitrary web sites[edit]

YubiKey authentication to arbitrary web sites, i.e. to websites that don't explicitly support YubiKey (U2F or similar) by themselves, archived. Some notes:

  • All implemented using Free, Open Source and Freedom Software.

In total there are 3 factor authentication to arbitrary websites etc.:

  • first factor: password (to unlock keepassxc database) ("something you know")
  • second factor: YubiKey with key press (to unlock keepassxc database) (HMAC-SHA1) ("something you have")
  • third factor: google authentication / AndOTP (HTOP one time passwords) ("something you have")

(Currently there is no factor "something you are", but I wouldn't know how to implement it for arbitrary websites. Above authentication setup should be complex [read breakage, difficult, lockout oneself] and secure enough. Rather than trying to hack these three factors, malware would rather just hijack the web login session.)

YubiKey Info[edit]

  • Configured yubikey configuration slot 1 with static password and configured yubkkey configuration slot 2 with challenge response. (google) U2F still working. Pretty awesome.
  • Could even enter my BIOS password using yubikey using a static yubikey password.
  • Static password works even for full disk encryption password entry. Either as a single factor or to increase the lenght of the password. It acts as a USB keyboard. Even works with Qubes. (2FA vs BadUSB.)
  • Yubikey U2F (FIDO Universal 2nd Factor): no backup possible. (But U2F supporting services might support alternative login methods or multiple U2F (yubikey) keys.) Not an issue, since we won't be using yubikey for U2F.
  • Yubikey static passwords / HMAC-SHA1 challenge response: (paper) backup easily possible.
  • It might have a bug resetting keyboard layout to en-US but it's not a big deal.

Static Password vs Challenge Response[edit]

protection goal:

  • deny unauthorized decryption of notebook full disk encryption when notebook is powered off, gets stolen and user password has been sniffed

adversary capabilities:

  • [A] temporarily grab the YubiKey for a moment, temporarily attach the YubiKey to a prepared smartphone or similar, press YubiKey button, thereby steal the static password ("very easy")
  • [B] temporarily grab the YubiKey for a moment, extract challenge response secret key from smart chip through side channel or exploit ("harder")
  • [C] bruteforce or sniff (camera / side channel) user entered password
  • [D] unauthorized access to notebook (theft)

We assume the adversary has succeeded with [C] plus [D].

boot full disk encryption authentication methods:

  • YubiKey static password : fails against adversary capability [A]
  • YubiKey static password : fails against adversary capability [B]
  • YubiKey challenge response: safe against adversary capability [A]
  • YubiKey challenge response: fails against adversary capability [B]

Both authentication methods (Static Password; Challenge Response) are easy to program into YubiKey, allow easy legitimate clones to other YubiKeys as backup. Paper backups are also possible.

In other words, YubiKey static password authentication fails when an adversary can get their hands on it for a moment. YubiKey challenge response is superior here since it is harder to extract the HMAC secret from the YubiKey.

However, YubiKey challenge response authentication is much more complex. Speak: the chance of having an implementation which is so secure that the owners themselfes get locked out. More time consuming to develop, research, and setup for Qubes OS.

Qubes OS YubiKey luks challenge response authentication: [archive]

Static Password Challenge Response
BIOS password entry Yes No
Boot Password Entry for Full Disk Encryption on Debian Yes Yes
Boot Password Entry for Full Disk Encryption on Qubes OS Yes difficult
Login Yes Yes
lightdm Yes Yes
xscreensaver Yes Yes
keepassxc Yes Yes
paper backups Yes Yes
ssh Yes Yes [1]


2FA (Commonly refereed to as "Google Authenticator") works against simple phishing, i.e. the user sending their password by email to a scammer. Or in case the server's password database gets hacked but the 2FA database not.

Against local compromise by malware nothing helps as the attacker can simply takeover the login session. The of 2FA usefulness is limited.

YubiKey can help to strengthen passwords for login, screensavers, BIOS, full disk encryption and others. Or a stolen, powered off, full disk encrypted notebook might remain securely encrypted even though its password was leaked on camera as long as the adversary does not get its hand on the YubiKey too.


Simple Password phishing [2] Yes [3]
redirection to phishing website [4] No [5]
server password database hacked Yes [6]
local compromise [7] No [8]


  1. Probably, untested, very doable in theory.
  2. User replying to fraudulent password request by e-mail.
  3. With the password alone, no fraudulent login is possible.
  4. Such as DNS spoofing or man-in-the-middle attacks.
  5. The user has to spot the browser SSL warning.
  6. When the server password database was hacked, but the 2FA database not, malicious logins are prevented.
  7. By malware
  8. No protection against session hijacking.

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables. Please come and introduce yourself in the development forum.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.