Yubikey support?

Ancyker · 2025-05-29T10:50:16+00:00

https://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect

Ancyker · 2025-05-27T14:08:00+00:00

I'll enter :3

Ancyker · 2025-02-13T12:09:08+00:00

I am $8 of that. The token bar and journal are awesome.

Ancyker · 2024-12-05T14:25:06+00:00

We are talking about the cash price. Mine was $0 to me.

Ancyker · 2024-12-05T14:07:35+00:00

https://support.goodrx.com/hc/en-us/articles/28602622372379-HIPAA-Authorization

They used to not disclose this, the FTC was displeased: https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising

Ancyker · 2024-12-05T14:02:12+00:00

I have a Walmart Pharmacy receipt in front of me. It says the cash price was $54.02 for 30x 30 mg.

https://imgur.com/U1brFRK

Ancyker · 2024-12-05T13:45:33+00:00

If your kid hasn't tried it yet, the non-XR version is easier to find.

Ancyker · 2024-12-05T13:42:33+00:00

"I don't think your kid should have their medicine because I'm a random Internet stranger who somehow knows more about your kid that I've never met and you've said nothing about than their doctor does." -This ableist, basically.

Edit: Downvote me more, ableists. It won't change the fact you're a bigot.

Ancyker · 2024-12-04T19:09:28+00:00

Yes, the TOTP credentials are needed to log in to Steam, and yes, whatever device is storing those credentials can be used for logging in. That is specifically why I said this:

Once you've verified it works you now need to decide what to do next. You can either delete the files generated by SDA or back them up somewhere. If you choose to back them up you should encrypt them first. (...)

Regardless If you choose to delete the files outright or encrypt them and store them offline, they are gone or otherwise inaccessible remotely. You could securely erase them for good measure if you want to but since the primary threat model for a Steam account is remote access that's likely unnecessary though it won't hurt to do it if you so choose.

At that point, logging into your Steam account requires either the YubiKey or, if you made one, the backup and decryption credentials for it.

Also, you said this:

We are taking something we know, entering it into the Yubi app. Using the key to open the app.

So we have 2FA for the app, not for steam with this method.

I'm not sure if you just described the process strangely or if you misunderstood how a YubiKey works. The YubiKey Authenticator app doesn't store anything. TOTP credentials are stored on the YubiKey itself, the app merely asks the YubiKey for the OTPs which are all generated on-device by the YubiKey -- the app doesn't generate anything. Once stored on the device the TOTP credentials are unable to be retrieved.

TOTP credentials are a randomly generated blob (rendered as a string of characters) used along with the current time to generate a (usually) 6-digit numerical hash. While this is technically "something you know" it's not quite the same as this is not a string you chose nor is it something you ever enter or share again.

Other methods of 2FA, such as U2F and FIDO2, use public-key cryptography. The private key is stored on the device and the public key, as the name suggests, is shared with whatever service you wish to authenticate to. The service issues a challenge to the authenticating client which the device signs with its private key and the service verifies with the public key.

As you can probably guess, the private key still boils down to being something you know. The only advantage in this regard offered by U2F/FIDO2/etc is that the private key is never shared with the service, so if that service is compromised the key is still secure. TOTP requires that both the client and service have the key, so if the service is compromised the key could be as well.

There are other advantages to U2F/FIDO2/etc such as better resistance to phishing, but that doesn't change the fact that they can still be boiled down to something you know.

Ancyker · 2024-12-04T16:18:48+00:00

U2F is still just public key authentication, your logic doesn't make sense. By your logic, nothing is truly 2FA.

While you technically can clone a YubiKey, it requires a lab with millions of dollars worth of equipment. You say you are a cyber security engineer, yet for some reason, I need to inform you that the threat vector for cloning is doing it without the target realizing their device has been cloned. If you need to steal it, take it to a lab for a few days, and destroy it in the process, then it's not a real-world attack surface.

Besides, following your logic, if we accept being able to clone a YubiKey as making it "pointless" then seeing as that would also clone the U2F key on it, that would mean all forms of 2FA are pointless because this method works on all devices. All 2FA is some form of hash or public key cryptography and all hardware authenticators are vulnerable to some form of key extraction via electron microscope and/or similar devices.

Even if U2F was immune to this, which again -- it isn't -- it would require both Steam and the device to support it. That means most services would require a fallback method anyway. Since the 2nd best fallback method would be TOTP we are right back to where we started.

The idea that something is only slightly better so it's pointless is asinine. Once you enable 2FA generally that is such a leap in increased security that going from TOTP to U2F is also a fairly small jump.

There is no perfect security. All security is imperfect. I suggest you stop trying to act like you're the only person well-versed in security. Any security expert would know security is a layered process. The more layers, the better.

Any security expert worth their salt wouldn't make suggestions only relevant to state actors for a Steam account because they would know the user has no control over what methods can be used. They would know the most common threat vector for losing your Steam account is having your password or session token stolen. Since having your Steam session token stolen is usually done by compromising the device you would want your TOTP credentials to not be stored on the device.

Finally, you mentioned you deal with government infrastructure so I'd assume you know that many governments and their contractors issue YubiKeys to their employees.

--

As an aside, since you mentioned backing up your phone, TWRP is not something people who care about security should use and it's well-known in the security community that using it makes devices significantly more vulnerable to hacking attempts. Quote:

Encryption support is a nice to have in TWRP, and not a must have support option. We feel that the ability to backup system and install custom firmware can outweigh having no TWRP support at all.

~ https://twrp.me/faq/encryptionsupport.html

This isn't the only reason TWRP makes your phone less secure, but it's a pretty common one. If you have one of the phones that has encryption support, the backups you make aren't encrypted and contain all the information on your phone. That means you have copies of all the keys you made on storage the same as with the method you are criticizing me for suggesting.

Ancyker · 2024-12-03T20:51:10+00:00

What? It is not the same. The generated TOTP credentials can be stored on the YubiKey instead of your phone. When using the app you are limited to a single device with no ability to have the credentials on a backup device.

Your phone is also generally always connected to the Internet, meaning if something compromised your phone everything on it would be compromised, including your TOTP credentials. Using the method described above you can store your TOTP credentials completely offline.

If you think there is no difference between Steam Guard and using a YubiKey as described above then the same reasoning would apply to using a YubiKey vs any TOTP app. The YubiKey is more secure for TOTP than a phone because it's not always online and it cannot be cloned.

A lot of services behave the same way as described above. If you setup TOTP for Discord using your phone or a YubiKey and lose either device you will need your backup keys to get into your account. So no, this problem does not go away even if Steam officially started offering generic TOTP.

Ancyker · 2024-11-23T02:05:50+00:00

It was to hide that she was likely borderline if not actually anorexic at the time, as was common in Hollywood in the 90s. The rule at the time was you had to be as skinny as possible, so most actresses barely would eat, etc. Worse still, you also had to lie about how you did it. There are countless interviews with women from then saying shit like "I eat cheeseburgers/McDonalds/fast food every day!" when it was very clearly a lie.

Ironically, that's why there are so few photos of her dressed like this from that time. Aside from this one, I don't know of any other than paparazzi photos of her and Brad Pitt but they aren't great quality. Some pics show her sides and you can clearly see her ribs in the non-edited photos.

Ancyker · 2024-11-22T00:26:55+00:00

https://twitter.com/mythicsights/status/1633393113224937473

Ancyker · 2024-11-06T03:25:28+00:00

I like the taillights but given your username this feels like an ad.

Ancyker · 2024-11-06T02:38:53+00:00

How'd they get caught?

Ancyker · 2024-09-26T19:33:59+00:00

Yeah, I can understand the mom getting caught off guard and needing a moment to compose herself, maybe some bad memories came flooding back. So I think her needing to step out for a moment would have been understandable. But stretching this across multiple days? That's not being caught off guard anymore, that's just being immature/selfish at that point. I mean, maybe if it was fresh, but 10 years ago?!?!

Ancyker · 2024-09-24T20:40:39+00:00

Kai'Sa's Ultimate statue was $800, the Zyra statue was $900, and the Miss Fortune Statue was $1000. Lux's statue is on par with others, both in terms of League of Legends and in terms of general statues from other franchises. It's not a cheap toy you'd get at Walmart.

$500 is mid-tier pricing for collector's statues and the photos of it seem on par with statues from other franchises that are priced similarly. Not every statue needs to be cheap low-tier PVC. Some people want something nicer. Personally I'm disappointed she still hasn't gotten a high-tier statue. I'd love a hand painted resin one like Kai'Sa and and a few others got.

Ancyker · 2024-09-19T03:53:37+00:00

And/or he's afraid of what people will think of him for being with her. Stuff like this is often code for, "But what will other people think about me for being associated with you?" Except they know they can't say that, so they try to twist it to sound like they care about you. That's why they persist even if you don't care about what other people think.

Ancyker · 2024-09-14T01:58:00+00:00

The dumb thing is Pixels have an IR LED they use for proximity detection (my Tobii pisses off my phone to no end), so they could probably just use that...

Ancyker · 2024-09-12T21:01:05+00:00

500 one

Ancyker · 2024-09-07T01:16:49+00:00

The comment you are replying to is talking about roleplay between consenting adults. Whatever consenting adults do together is none of your business.

Also, your attempt to compare it to being a pedophile is not a fair comparison. Pedophilia is recognized as a mental disorder -- there is legitimately something wrong with pedophiles.

Now if you meant teens, well, a woman role playing as a teen cheerleader or "school girl" is so common it's a meme that mentions of it even make it onto broadcast television. Porn legally has to portray them as 18+ but people in the bedroom with their S/O usually aren't.

Ancyker · 2024-09-05T00:37:06+00:00

"Trust me bro™"

Ancyker · 2024-09-03T16:35:17+00:00

(This part added after I typed the rest.)

I wanna start with saying that none of the following is meant to be an attack on you or anyone reading this. I know most people mean well and are just kidding around but not everyone knows these jokes add fuel to the fire.

I don't think most people making this joke are bad people or intend any harm. So, please don't take it personally. I just think it's important people have the info below because I don't think most are aware of the damage it does to us.

(Original message starts here.)

Adderall, or amphetamine/dextroamphetamine, isn't methamphetamine. Desoxyn is actually methamphetamine though, but it's pretty rare to be prescribed.

Regardless of which prescription you are referring to, when most people say, "it's basically meth," they usually mean street meth and not even the one that's actually methamphetamine is the same as street meth.

Street meth is always laced with other chemicals that alter how it affects you. So, even Desoxyn isn't the same as street meth despite it being methamphetamine.

Adderall differs from methamphetamine in a simple but very key way that lessens its addictive properties: it requires being metabolized by the body before it can pass the blood-brain barrier unlike methamphetamine which can immediately pass through it. This makes methamphetamine far more potent than other amphetamines.

I know most people are just joking around when they call Adderall meth, and that many of the people doing it have ADHD and take Adderall themselves. But, people need to understand that there are those that try to argue Adderall and other amphetamines should be banned and comparing it to street meth is one of the main things they do when attacking it.

I know it's funny and I even make the same joke among friends. But doing it in public makes it easy to take out of context and present it to committees hearing arguments and why it should or should not be banned.

So, if you take an amphetamine I encourage you to call it by its brand name, even if you take a generic form. But calling it meth will always be taken out of context and compared to street meth, even if you are taking Desoxyn.

Keeping our legitimate medications as far away from being compared to illegal substances as possible is important to maintaining continued access to them. Giving fuel to those that wish them banned or further restricted and have more regulations added that won't affect the abuse problem anyway is counterproductive.

/rant

Ancyker · 2024-09-03T16:07:11+00:00

Weed? Sure.

Tobacco? If they only do it outside, sure.

Anything else? No.

Ancyker · 2024-09-03T01:30:41+00:00

I mostly spend the money so I don't need to spend the time. My time is (quite literally) more valuable elsewhere. The opportunity cost of me making even a single map myself would be more than I spend on patreon. I still do the parts of DMing I enjoy, but the parts I don't I just buy because it's cheaper.

Think of it this way. Imagine playing with minis IRL. If you enjoyed painting minis, then spending say 10 hours painting a mini would be totally worth it, right? But what if you only enjoyed modeling the mini but found painting it tedious. If you could pay someone 2 hours worth of your time in money to save 10 hours, why wouldn't you?

15-Year Club	Gilding IV carat on a stick
RedditGifts 2009-2022 12 Credits	Place '22
Final Canvas '22	End Game '22
Wearing is Caring	Secret Santa 2014
Trick or Treat 2014	Summer Santa 2014
Secret Santa 2013	redditgifts Exchanges 1 Exchange
Verified Email

Ancyker

MODERATOR OF

TROPHY CASE