That was not obvious to me, at first I though it was not exploitable, but after some acrobatic movements I found a way. I knew what was coming to me, I knew my previous mistakes, and I was ready to fight, while at the same time being afraid by my previous failure. One key lesson in testing is being proactive rather than receptive. Also each Yubikey has it’s own unique identifier and AES secret key used by Yubico’s servers to validate the OTP, that even Google or any other service does not know about. Among numerous other topics, TJC specifically addresses three key areas of IT risk management in the new IM standards. This type of system is ideal in areas where pipes may freeze or in data centers where water damage from leaks or condensation may occur. This type of security can also be enhanced through updating operating systems and protocols which may have been exposed by hackers, basically, any measure that prevents intrusion through applications or data sources. This is based on my personal knowledge level however, and it may not apply to an OSCP already a pentester, and used to find 0-days and develop exploits everyday for the breakfast.

Also, if you have a strong account password, it may even be easier to use the ASP instead to hack into your account. ASP on a smartphone for an easier procedure. Fortunately on Blackberry 10, such as the Q5 for instance, the smartphone is natively 2-steps aware, and upon entering your login and password, you have a true Gmail web page asking for a verification code. A Yubikey is more secure than an application such as the Google Authenticator because it does not require any driver or software, is not connected to any network (unlike a smartphone), and is waterproof, crush safe, and has no battery. Using a Yubikey is not vulnerable to this kind of attack. So it’s not as easy as using just your browser and enter the login and ASP only, but if instead of entering your account password you just need an HTTP request, that’s still a serious weakness.

Also you have to follow an inconvenient procedure to make this setup, and on every computer you will log in you will need to install a software. If you need one for your workplace, do yourself a paper and consider purchasing the Dahle 20453 high-capacity paper shredder. I then attacked two other servers, with one requiring 4 hours of my time, as I had a very difficult time to escalate my privileges. With two secure data processing centers, Brune said the agency is covered in that regard. Please note that currently using a Yubikey for Gmail is possible but really cumbersome : you have to download two software, one to customize the Yubikey second slot, one to challenge it and to send back the answer to Google. I have read that Google is planning this year to allow the native use of a YubiKey instead of the Google Auhtenticator. Just be aware about the Application Specific Password weakness, and let’s be ready for Google next move on this area, if they decide to enable native Yubikey support for public accounts.

Gmail 2-step system also adds two kind of other codes : Application Specific Password (ASP) and Backup One Time Password (BOTP). There is two ways I know of to enable it, either by asking Gmail to send a SMS with the verification code, or by installing Google Authenticator application on your smartphone, which generates verification codes. Just check the warranty that the organization gets along with the support in case any problems are there. EntrepreneursIt is evident now that the firms are becoming more and more aware of the advantages of mobile applications for their businesses. Update 1 : Criminals now target both computers and smartphones to retrieve the verification code from the phone as well, to bypass Two-Factor authentication. All in all, enabling a multi-factor authentication is far better than not using it, even with Gmail. Regarding BOTP, so far so good, they cannot be used to lessen the 2-step authentication security, and are a convenient recovery way to getting back access to your account. In order for the company to improve security performance, there must be updated guidelines to develop metrics so that security requirements are met.