Suggestion: Simple tweak to online authentication servers

2010-11-17T16:07:19+01:00

A lot of people have asked about the ability to support multiple or backup Yubikeys. This is actually trivial to do, requiring only a tiny change in the servers and no change in the clients. Simply change the validation servers to track the insertion and OTP counters on a per-private-ID basis.

Then, you could program multiple Yubikeys with the same public ID and AES key but different private IDs. This would permit a simple backup/spare Yubikey mechanism. You could have one on your keychain, one at home, one at the office, and so on.

The personalization tool could easily be modified to allow you to insert any number of Yubikeys and it would simply program each one with a different private ID.

If you want to get fancy, a web page could be provided to associate a 'nickname' with each Yubikey. You just insert a Yubikey, generate an OTP, and enter a nickname, like 'Office' or 'Keychain'. The web interface could permit a lost Yubikey to be disabled simply by bumping the counter for that private ID to the maximum permissible value. (No OTP with a greater count than that can possibly be generated.)

Statistics: Posted by JoelKatz — Wed Nov 17, 2010 4:07 pm

Yubico Forum

Suggestion: Simple tweak to online authentication servers