Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Duo Security vs Yubico vs RSA SecurID
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Duo Security vs Yubico vs RSA SecurID

gestiondbigestiondbi Member, Patron Provider

Hi LET!

I would like your opinion over those products.

  • Which one do you recommend?
  • Which one is the most "secure"?
  • Which one is the most easiest to integrate to software and servers?

For my part, I use every day RSA SecurID, however, I'm looking for a cheaper alternative for a new project and was looking to maybe use DuoSecurity. Anybody use them?

Regards, David.

Comments

  • I have a few Yubikeys, the NEO is the best by far, it has:

    • Static passwords

    • OTP (One Time Password)

    • OATH-HOTP

    • OATH-TOTP

    • PIV-Compliant smart card

    • OpenPGP

    • FIDO U2F

    It uses a secure element to keep secrets safe.

    I use mine for static passwords, FIDO U2F, OpenPGP, OATH-TOTP and NFC!

    I hope FIDO U2F is going to be the future of securing servers and services online, it's the most simplest way I've found to help secure my accounts (Gmail, Dropbox, Github etc).

    Yubico has written a U2F PAM module for SSH: https://www.yubico.com/applications/computer-login/linux/ - I've not used it be I've read it's simple to setup.

  • gestiondbigestiondbi Member, Patron Provider

    @madtbh

    I will order a Yubikey to make some tests. I'm currently trying the DuoSecurity services. It's work really well and really adaptative and simple, however, cost is a bit higher than Yubico. Thanks for your review :)

  • KuJoeKuJoe Member, Host Rep

    I use the RSA SecurID also and prefer Google Authenticator personally. I've started integrating it into all of my personal projects instead of passwords.

    Thanked by 1netomx
  • gestiondbigestiondbi Member, Patron Provider
    edited October 2015

    @KuJoe said:
    I use the RSA SecurID also and prefer Google Authenticator personally. I've started integrating it into all of my personal projects instead of passwords.

    Unfortunately, I can't use Google Auth for some security and integration issue. This baby doesn't like some of our customized and legacy BlackBerry devices :(

  • @madtbh said:
    Yubico has written a U2F PAM module for SSH: https://www.yubico.com/applications/computer-login/linux/ - I've not used it be I've read it's simple to setup.

    what is the fall back if Yubico authentication server cannot be accessed?

  • @0xdragon said:

    Thanks a lot, i ordered one and hopefully lockmy self for fun..

    Thanked by 1gestiondbi
  • Duo is absolutely fantastic. I can't recommend it highly enough.

    Thanked by 1gestiondbi
  • There are special offers for GitHub users. Curiosity buy, mine arrived this morning, however no idea if its usable at other U2F supported sites, might be worth a look for a discount: https://www.yubico.com/github-special-offer/

  • deadbeefdeadbeef Member
    edited October 2015

    Edit: nvm

  • Ok, I don't get it - I see it supports keepass but what if the key breaks? If you create a keepass db with master password AND OTP, and you lose the OTP, you're locked out. What am I missing herE?

  • @deadbeef said:
    Ok, I don't get it - I see it supports keepass but what if the key breaks? If you create a keepass db with master password AND OTP, and you lose the OTP, you're locked out. What am I missing herE?

    Only a few bucks for a spare key kept somewhere safe... If keepass is anything like lastpass you can also store (offline) a backup that requires your password only to access.

    Thanked by 1deadbeef
  • ShadeShade Member
    edited October 2015

    Take a look at PrivacyIDEA, with this Authentication Server you can integrate nearly all second factor software or hardware. With this server you can also integrate the very cheap Feitian C 200 TOTP Hardware Token. This solution is MUCH cheaper then RSA or others and it has the same security, based on OpenSource and not Closed Source like RSA.

    Thanked by 1deadbeef
  • I'm really happy with my Yubikey Neo, you can even store PGP keys and CA keys in it. Plus they replaced it for free when there was a PGP vulnerability so now I have two of them.

  • I read that it is advised to buy Yubikey Neo by two. One would be the exact copy of the other in case of a lose.
    Do you confirm that ?

  • I would probably buy Yubikey, but my phone doesn't have NFC :(

  • madtbhmadtbh Member
    edited October 2015

    @tomq said:
    I read that it is advised to buy Yubikey Neo by two. One would be the exact copy of the other in case of a lose.
    Do you confirm that ?

    I have two for this exact reason.

    @deadbeef said:
    Ok, I don't get it - I see it supports keepass but what if the key breaks? If you create a keepass db with master password AND OTP, and you lose the OTP, you're locked out. What am I missing herE?

    I secure my KeePass with a master password and a key file. One half of my password I know and the other half is my YubiKey (static password).

    Thanked by 1deadbeef
  • deadbeefdeadbeef Member
    edited October 2015

    @madtbh said:
    I secure my KeePass with a master password and a key file. One half of my password I know and the other half is my YubiKey (static password).

    Thanks, so one needs to have 2 keys if this is going to make sense.

  • But you don't need two keys if it is just for FIDO U2F, I think.

  • @deadbeef said:
    Thanks, so one needs to have 2 keys if this is going to make sense.

    Two keys is all about redundancy really. I keep one in my safe at home and the other I carry around every day on my keys. So if I lose one I can always get back into my accounts with out too much hassle (most of the work then is getting a new key and setting it up).

    If you just want static passwords (kind of like I use to secure my KeePass) you can get 2 of the basic YubiKeys (rather cheap to do).

    But I use mine for more then that, so I got 2 NEO's to store static passwords, FIDO U2F, OpenPGP and OATH-TOTP and mirrored them.

    Thanked by 1deadbeef
  • madtbhmadtbh Member
    edited October 2015

    @tomq said:
    But you don't need two keys if it is just for FIDO U2F, I think.

    With Google for example, you can register both a FIDO U2F key and TOTP (using the Google Authenticator App). On top of that they also give you 10, one time use codes to login with.

    So if you were to lose your key you could still get into your account using those two other methods. So no, 2 keys in this case would not be necessary.

    You can register as many keys as you like, I currently have 4 lol.

    Thanked by 1deadbeef
  • Personally I use Duo Security, it does what I want and is pretty straight forward to setup :)

  • gestiondbigestiondbi Member, Patron Provider

    Thanks to all for comments and feedback.

    Did anybody import a RSA or Yubikey to Duo Security? Otherwise, any information about their own Hardware Token?

  • Another limitation of the Yubikey is that it only can contain 2048 bytes GPG keys. Not bad, but 4096 is already here...

Sign In or Register to comment.