Yubico Forum

Hello,

Been playing with this app (instead of studying...) and I reaaaaly love it. It's kind of exactly what I was waiting for!!

I just would to make a feature request. Tom, let me know if you guys are going to consider.

I was thinking that before the applet just gives to the desktop app TOTPs for the current time, that it requires the touch of the button.

Since the running computer could be compromised, it could ask the applet to generate all future TOTPs really quickly (unless a specific protection is implemented inside the applet). So by asking the user to press the button before generating new TOTPs to the desktop app, it would prevent generating future TOTPs that could be used by an attacker later on.

Thanks

Morph

Hello Morph,

The scenario you describe is possible. Unfortunately this is not simple to address because of how the Yubikey works internally. The applet on the Yubikey is just sitting there and it is not active until a request comes in, so we cannot implement easily a check and using the internal clock wont be very simple.

However, what you can do is set a password to protect your applet. Just click the FILE menu and hit Change Password. This will require you to unlock the applet before it can be used (you should not unlock the applet on un-trusted computers.)

Currently we cannot ask for user's touch on this applet, but we are working on this for future release.

Tom.

_________________
-Tom