2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely.
Could you expand on this a little please, I am not sure I understand the problems associated with synchronizing the OTP.
How would this work for a typical corporate Laptop user? Most of the time they are in the office connected to the corporate LAN and validating online. But also have a need to travel away from the office possibly with no net access.
First, let's restate the problem: The problem is that if you validate an OTP using the same AES key that api.yubico.com uses, the OTP you verify will be re-usable again on the api.yubico.com server. It will also be reusable on any other system that also validate OTPs based on the AES key. The reason is that the counter values aren't synchronized.
The simplest solution is to only permit the YubiKey to be used for Windows login. Nothing else. Then you can use our personalization software to write a new AES key into your Yubikey, and configure your Windows login software to use that AES key. Your software needs to remember the counter values, so that you can't replay an OTP against it. However, since it is the only software that validates the OTPs, no synchronization is needed.
There aren't any really good solutions to synchronize OTPs. You could make the Windows login software send the used OTPs to api.yubico.com when it becomes online, but there is a time window when someone could use these tokens if they could get access to them. There is also the security problem of having the AES key stored on your Windows platform, which is hardly immune to Trojans etc. If your AES key is compromised, someone can impersonate you on any service that supports Yubikey.