Yubico Forum

Another "silent" feature of the Yubikey is the ability to "double-click" CapsLock, ScrollLock and NumLock keys to trigger the release of an OTP. It was introduced in an early stage where we thought that we could have a Yubikey without a button - known as "Yubikey Basic".

The function relies on monitoring the status LED output reports. If two reports are recieved within 0.8 seconds where the LED status flips, the OTP is triggered.

A caveat is of course that this in theory allows a Trojan to trigger the release of an OTP. If this is a real risk it is up to everyone to judge.


The default setting for this feature is OFF, so I believe most people haven't tried it.

What do you think - shall we keep this function as is or shall we drop it.

Regards,

JakobE
Hardware- and firmware guy @ Yubico

I think this should be off by default -- I don't want trojan to be able to use my Yubikey.
Still it's nice feature: It could be used as a dongle for providing license for application. In that case vendor of the product would reprogram Yubikey to have that option enabled and send key to customer. Application can then be downloaded from internet and when running it would automatically test that "license dongle" is attached.

I second that, its not something I would use so would hope for it to be off by default. But I am sure someone would be willing to trade a little security for convenience.

I too would vote for keeping this option but leaving it OFF by default. I would very likely--on occasion--trade convenience for the increase in risk.

I, too, would favor leaving the feature and having it off by default with the assumption that this would require the programming password to turn it on. Which, BTW, would suggest that the ability to turn it on and off should be added to the personalization tool.

Dick

I agree.
Keep it, have it turned off, and put a on/off-toggle for it in the personalization software.