I'm currently trying to implement a Yubico OTP authentication in C#.
Basically, what I'm trying to do is the folloing:
1. When the user tries to authenticate to my website, I take the OTP submitted with the YubiKey
2. I try to authenticate to the Yubico authentication service using the following code (taken from the google project reference on Yubico's website) with the authid that I have generated here https://upgrade.yubico.com/getapikey/
// Yubico .NET client cliass that calls Yubico authentication server to
// validate an OTP (One-Time Password) generated by a Yubikey
// March 2008
// Yubico.com - the elegant strong authentication built for the web
/// Your app instantiate an object of this class, then call verify(OTP) to validate the
/// one-time password (OTP) generated by Yubikey
public class YubicoClient
const String YUBICO_AUTH_SRV_URL = "http://api.yubico.com/wsapi/verify?id=";
private int _authId = -1;
private String _response;
//// Input param authId is assigned to you by Yubico. Each site operator has an authId
// Eg. mashedLife.com authId is 28, dragonIPTV.com authId is 27, etc.
// Contact email@example.com if you haven't got an authId for your site.
public YubicoClient(int authId)
_authId = authId;
_response = "";
//// Input param OTP is generated from your Yubikey when touching the button on it
public Boolean verify(String otp)
Boolean result = false;
_response = "";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(
YUBICO_AUTH_SRV_URL + _authId + "&otp=" + otp);
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
String ver = response.ProtocolVersion.ToString();
StreamReader reader = new StreamReader(response.GetResponseStream());
string str = reader.ReadLine();
while (str != null)
str = reader.ReadLine();
_response += str + "\n";
result = true;
} // End of verify
//// Useful to verify the cause of a validation error
} // End of class YubicoClient
3. If the username, password and verify method above are all passed, then my user is authenticated.
Is that all I need to do?
Is the code above correct?
I saw somewhere that we can have an "h" parameter, but don't see it on the code... is that normal ?
Thanks a million for your help and kind regards,