Yubico Forum

Re: otp harvesting

2008-06-02T08:35:33+01:00

Thanks for your thoughts. We will extend our product line eventually, but right now we focus on getting the most simple to use and most reliable approach "out there".

Note that there are some standards based solutions, like OATH HOTP that also doesn't rely on a clock or challenge response. It is considered good enough by some companies. I do understand (and agree with) your concern that it isn't good enough everywhere though.

Thanks,
Simon

Statistics: Posted by Simon — Mon Jun 02, 2008 8:35 am

Re: otp harvesting

2008-05-29T21:43:57+01:00

Re the battery compartment. If you make the units cheap enough then embed the battery in the resin. It preserves the unit's physical integrity / strength and you will have repeat customers as well.

Statistics: Posted by metamind — Thu May 29, 2008 9:43 pm

Re: otp harvesting

2008-05-29T21:32:39+01:00

Sure there would be some downsides to having a battery but I don't think they are that onerous. It would probably add 20% to the cost and last 3 years. This is not such a cost compared to the value of the information being protected. It would mean that you / I could answer the question "is this as secure as a football / dongle" with a "yes". There are many different markets for a product such as yours. The current YubiKey is great for paid service offerings (online tv etc) where you potentially have a few extra viewers watching for free but corporate data is too valuable and harvesting is a definite issue. You should definitely concider it as a seperate product offering.

Wouldn't a second harvested otp work in the two-otps-required scenario.

Statistics: Posted by metamind — Thu May 29, 2008 9:32 pm

Re: otp harvesting

2008-05-29T20:46:21+01:00

Are you refering to some kind of constantly running timer ?

That would add additional protection against harvesting, but with the downside of requiring a battery.

Batteries = cost + limited shelf life + large source of failures + requires battery compartment + additional regulatory burden (at least here in the EU).

A service requiring OTPs to be sent twice during a session can add protection against harvesting. We beleive that is a good compromise given that we get rid of the battery.

Regards,

Jakob E
Firmware and Hardware guy @ Yubico

Statistics: Posted by Jakob — Thu May 29, 2008 8:46 pm

otp harvesting

2008-05-29T09:49:23+01:00

Hi,

Do you plan on producing a yubikey that has a timer in it so that some sort of time code can come from the key? This would stop a key being "borrowed" and the otps being harvested. These keys would be valid until the user authenticates again using the real key.

Statistics: Posted by metamind — Thu May 29, 2008 9:49 am