Yubico Forum ...visit our web-store at 2014-01-08T11:14:24+01:00 https://forum.yubico.com/feed.php?f=3&t=1272 2014-01-08T11:14:24+01:00 2014-01-08T11:14:24+01:00 https://forum.yubico.com/viewtopic.php?t=1272&p=4779#p4779 <![CDATA[Re: Response does not contain nonce when BAD_OTP]]>
OTP is not included in the case of BAD_OTP to avoid echoing a potentially mallicious string to the client (as it's failed the validation servers sanity check). And the same goes for the other error conditions where inputs might not have been sanitized yet.

/klas

Statistics: Posted by Klas — Wed Jan 08, 2014 11:14 am

]]> 2014-01-02T09:38:08+01:00 2014-01-02T09:38:08+01:00 https://forum.yubico.com/viewtopic.php?t=1272&p=4761#p4761 <![CDATA[Response does not contain nonce when BAD_OTP]]>
I'm working on integrating YubiKey into our new platform and I'd like to know if it is by design that the response from YubiCloud does not contain nonce (and otp) when status is BAD_OTP.

Code:
"h=rXCkSVYHYUYk+Ju5MvaVSKRhhgY=\r\nt=2014-01-02T08:20:07Z0339\r\nstatus=BAD_OTP\r\n\r\n"


Code:
"h=ltwiOKRC5X62g8HBDw9+CdxE/0Q=\r\nt=2014-01-02T08:20:05Z0697\r\notp=ccccccbtcvvhgnvvbivkdfkrddgnikfkdhjlhgeinhlb\r\nnonce=58a74a555932b9bca389ff3fd5ac6c2d\r\nstatus=REPLAYED_OTP\r\n\r\n"


Looking at the documentation (https://github.com/Yubico/yubikey-val/wiki/ValidationProtocolV20#response) nowhere this is mentioned.
If it is unintentional, do you plan to include none (and otp) in BAD_OPT responses anytime soon?


Thanks

Sigfrid

Statistics: Posted by sigfrid — Thu Jan 02, 2014 9:38 am

]]>