Ask HN: Why does YubiCo need my private key?
jadamson Friday, September 29, 2023Hi HN,
I've been reading up on YubiKeys, which seem to be well-regarded on HN. When doing my own research, I discovered that the default authentication method requires a copy of the private key to be stored on a validation server[1] (YubiCloud, by default). This can be changed to a private validation server, however that would also need to have a copy of the private key in order to work.
My question is: why is this necessary at all? Surely the same functionality could be achieved with public-key cryptography rather than requiring the private key to be uploaded[2] to a validator.
[1] https://docs.yubico.com/yesdk/users-manual/application-otp/yubico-otp.html [2] https://upload.yubico.com/
70
24