What is the risk of having a 2FA key permanently plugged into my device?

Yubico offers the YubiKey Nano, a 2FA key designed to be left inside the device more or less permanently.

enter image description here

While it does add comfort to be able to just leave it plugged in, what risks would there be if the device was stolen?

From what I could gather, local device accounts would have the same level of protection as a regular passphrase would provide. Online accounts, depending on the setup, would either have no protection at all (e.g. through a “Remember me on this device” function), or the same protection as a regular passphrase.

Is there anything I am missing?

Is building part of an href on a webpage from URL parameters a security risk?

I’ve written some code and have a feeling there’s a security issue with it, but I can’t figure out what it is.

Is there a security risk in including URL parameters directly into part of a link on a webpage?


  • User visits https://www.example.com/1/guid
  • JS reads the URL, and retrieves part of it, in this case guid
  • JS builds a URL using that data https://www.example.com/2/guid
  • That new URL is added to the page (Adding the URL to the page is escaped, so injecting JS shouldn’t be a problem, in theory)

Is there any way that displaying or clicking on https://www.example.com/2/<any plain text here> could be a security flaw?

Is there a risk of a bootstrap problem when using NTS?

Reading up on the NTP protocol wikipedia page as well as blog posts about NTS, it appears like NTS uses TLS to start the encrypted connection. From what I understand, TLS might not work properly if there is a significant difference in time between the server and client. If so, doesn’t using NTS mean that if the client system time is misconfigured, the NTS call might fail because the TLS connection can’t be established?

Reduce the risk of QRLJacking

I am currently working on a personal project to facilitate the connection of users to a private interface using a mobile application and a QR Code.


  1. Users download an application and log in with a username and password.
  2. Users then connect to a web interface with a QR code.
  3. When users scan the QR code with their mobile, the web service allows each user to access his private interface.

In my research, I came across the QRLjacking exploit allowing a hacker to log in with his QR code.

What techniques could be implemented to drastically reduce the risk of hacking?

So far, I have thought of several ways but they are not ideal:

  • Requesting to scan a second QR code once the first has been scanned (thus requiring the hacker to have access to the second QR code).
  • Limit the validity of the QR code to 15 seconds (thus requiring the hacker to act very quickly)
  • Require the user to connect their phone to the same network and include the IP address in the QR code.

Risk of having Azure Multi Site-To-Site VPN with different client

My company decided to build an ETL server on Azure and share by multiple client. My task is to research on possibility to set up multiple VPN tunnel from cloud to multiple client office network. I feel that it will have security concern, but this is just my opinion, can anyone help me to list out the risk? Should i proceed?

Is it security risk to host CS:GO server on my pc?

I have quite a good hardware in my pc + optic fiber connection. I opened a CS:GO (counter strike global offensive) server on it, and made it public. The ip for connecting to this server is my public ip address.

I set a strong password to the router admin (24+ characters). I assured that I have no risky\unwanted ports open. So in short, except for DDoS attacks, is this setup risky in any way?