YubiKey and Runbox

Hi, I recently invested in several Yubikeys (from Yubico) to enhance security. It appears that they work with Runbox according to the Yubico community but they haven’t been embraced by Runbox. As a consequence they are deemed as “working with” but not “verified.”

Tragically I haven’t succeeded in making them work with Runbox myself & the security tab doesn’t contain any clues. Has anyone else achieved success & if so can you provide some pointers please.

Cheers

@Yubi Welcome to the forum.

Yubikeys have a number of functions so it rather depends which ones you wanted to use. You can program you Yubikey with your account password and that should work fine. However, we don’t plan to support Yubikey’s own authentication that uses their servers to verify a key.

We do however have the intention to look at U2F which is a function that many hardware devices including Yubikey now support. We think that is a much better way forward as it doesn’t lock anyone in to a single product for use with our service and there are hardware devices compatible with that at a fraction of the cost of a Yubikey.

We don’t have a time scale for this yet, but we hope we can look at it soon.

1 Like

Thanks for your reply.
My reason for investing in Yubikey was exclusively related to improving security in the use of U2F.
My passwords are stored in a 1Password account which is secured via UTF & Yubikey.
I’m conscious of a vulnerability associated with having Google Authenticator on my phone, which would be very convenient for anyone wanting to access a Runbox account.
Any movement in progressing Yubikey compatibility with Runbox would be appreciated.
Regards

1 Like

I use Aegis Authenticator in preference to Google Authenticator.

Aegis has encryption and biometric unlock:

All of your one-time passwords are stored in a vault. If you choose to set a password (highly recommended), the vault will be encrypted using strong cryptography. If someone with malicious intent gets a hold of the vault file, it’s impossible for them to retrieve the contents without knowing the password. Entering your password each time you need access to a one-time password can be cumbersome. Fortunately, you can also enable biometric unlock if your device has a biometrics sensor (i.e. fingerprint or face unlock).

1 Like

Quite a few people don’t seem to know that there are alternatives to Google Authenticator. My personal preference (though I haven’t tried many) is Authy which also encrypts the keys and offers biometric protection. It’s also possible to install it on a desktop/laptop so that copy/paste of codes is possible.

1 Like

My homework today is to find out what a Yubikey is!

I also have been a user of Authy, and we have used it on all our runbox and other accounts when needed. Authy will work across a number of different devices and we found excellent when travelling . Not to say others aren’t as good but we tend to stay away from authenticator simply because we like to use alternatives to the big names