Yubico Forum

Hi - I have two yubikeys - and want two factor authentication to my customer tracking site (for my partner and myself)

I guess I don't understand what the website generated API ID does and how it relates to the OTP from the key.

I am using Simons PHP class code to do the authentication.

I thought the Web API genned ID: was unique to the individual Yubikey - but whether I use the ID generated for my Yubikey or the ID generated for my partners Yubikey and the OTP generated in real time by either Yubikey - it passes and allows the login.

(the OTP authentication is working properly but seems to be independent of the API ID)

So it is working - and you must use a yubikey to login - but I want to tighten it to assign the API ID to a specific user then to be checked against the OTP in realtime from the Yubikey.

thanks - great device

ok I figured it out (I think - correct me if Im wrong)

the website genned ID is only used to pull up the shared key used when verifying the OTP against the website.

I realize that I must also store the unique Yubikey ID (the first 12 chars of the OTP that doesnt change) - in my SQL db and search for that too - and verify it against my server side stored username and password and retrieve the website api genned ID - (all first before I fire off the OTP to the Yubico website for final verification)

thanks - its now working exactly as hoped - awesome

Yes, there are a couple of different ID's involved, including at least:

Web Service Client ID: used with the API key id to generate signatures and validate responses from our server. You can generate a new client id and api key from our web pages. We require a valid yubikey output to prevent people from spamming the database.

External ID: The static 12 modhex characters (6 bytes) output as prefix for every output. Allocated randomly.

Internal ID: The static 6 bytes in the encrypted OTP part. Allocated randomly, not the same as the external id.

Hope this helps.

/Simon