Yubico Forum

Re: Security risks with temporary access to a Yubikey?

2016-09-15T16:30:19+01:00

There is no way to determine if additional OTPs were generated between the last successful authentication

Statistics: Posted by ChrisHalos — Thu Sep 15, 2016 4:30 pm

Re: Security risks with temporary access to a Yubikey?

2016-09-15T01:58:34+01:00

Would there be a way to find out if an OTP was generated without being used yet?

I'm assuming that the OTP is only verified through a Yubico server or some central server on the Internet?

Statistics: Posted by genealogyxie — Thu Sep 15, 2016 1:58 am

Re: Security risks with temporary access to a Yubikey?

2016-09-13T15:43:11+01:00

I assume you're referring to...

HMAC-SHA1 Challenge-Response (Windows Login) - No, Challenge-Response doesn't emit any text like OTP does, and the secrets can't be read off the YubiKey.

Yubico OTP (LastPass) - Yes and no, depending on the use case. Yes, if someone gets your YubiKey and sends an OTP to to their e-mail (for example), they could use this later UNLESS you have validated again since the OTP was generated. Validating a newly generated OTP invalidates all previously generated OTP.

So basically, if you believe someone might have grabbed an OTP, just go to demo.yubico.com as soon as possible and test single-factor. Running this test will invalidate any previously generated OTPs.

Statistics: Posted by ChrisHalos — Tue Sep 13, 2016 3:43 pm

Security risks with temporary access to a Yubikey?

2016-09-13T13:09:33+01:00

Could a potential attacker be able to store the output from a Yubikey that he would temporarily have in his possession and then use that output to login into a Bitlocker-protected Windows 10 machine with the Yubikey login tool?

What about storing an OTP for later use to authenticate other things like Lastpass?

Statistics: Posted by genealogyxie — Tue Sep 13, 2016 1:09 pm