Yubico Forum ...visit our web-store at 2011-08-06T02:47:05+01:00 https://forum.yubico.com/feed.php?f=5&t=603 2011-08-06T02:47:05+01:00 2011-08-06T02:47:05+01:00 https://forum.yubico.com/viewtopic.php?t=603&p=2767#p2767 <![CDATA[Re: Purpose of the Secret Identifier & Time Stamp? & other Q]]> They are there to protect against Phishing (where someone grabs your key and generates a number of OTP which he can use later).
In the case of Yubico keys, these stolen OTP will be valid until a new OTP comes along with a higher session counter.
In their documentation Yubico mentions that to increase security you can ask for 2 OTPs and use the timestamp to ensure they were generated within a given time period. But the attacker is likely to have grabbed more than one OTP.
The server could vary the delay from the first OTP to the request of the second OTP but for practical reasons that can't be very long and once you factor in the 10s grace period (for network delays) this random delay is likely less than the time the attacker had to collect OTPs.

If the above is correct I don't see the point why you would ever validate timestamps.

Could someone at Yubico confirm my assumptions or let me know if they are incorrect?

Regards,
Hani

Statistics: Posted by Hani — Sat Aug 06, 2011 2:47 am

]]> 2010-12-07T23:03:28+01:00 2010-12-07T23:03:28+01:00 https://forum.yubico.com/viewtopic.php?t=603&p=2462#p2462 <![CDATA[Purpose of the Secret Identifier & Time Stamp? & other Q's]]>
I understand that the "session counter" in combination with the "session use" is used to determine replay attacks. Why are these fields not combined into one non-volatile counter that goes up with each use. Wouldn't that serve the same purpose?

About the time stamp: Is it only really used when accepting 2 OTPs, one after the other during the same session. I've read articles online that say it guards against phishing attacks, but how?

Statistics: Posted by jjkool — Tue Dec 07, 2010 11:03 pm

]]>