Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:44 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: otp harvesting
PostPosted: Thu May 29, 2008 9:49 am 
Offline

Joined: Thu May 29, 2008 9:44 am
Posts: 21
Hi,

Do you plan on producing a yubikey that has a timer in it so that some sort of time code can come from the key? This would stop a key being "borrowed" and the otps being harvested. These keys would be valid until the user authenticates again using the real key.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

 Post subject: Re: otp harvesting
PostPosted: Thu May 29, 2008 8:46 pm 
Offline
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
Are you refering to some kind of constantly running timer ?

That would add additional protection against harvesting, but with the downside of requiring a battery.

Batteries = cost + limited shelf life + large source of failures + requires battery compartment + additional regulatory burden (at least here in the EU).

A service requiring OTPs to be sent twice during a session can add protection against harvesting. We beleive that is a good compromise given that we get rid of the battery.

Regards,

Jakob E
Firmware and Hardware guy @ Yubico


Top
 Profile  
Reply with quote  
 Post subject: Re: otp harvesting
PostPosted: Thu May 29, 2008 9:32 pm 
Offline

Joined: Thu May 29, 2008 9:44 am
Posts: 21
Sure there would be some downsides to having a battery but I don't think they are that onerous. It would probably add 20% to the cost and last 3 years. This is not such a cost compared to the value of the information being protected. It would mean that you / I could answer the question "is this as secure as a football / dongle" with a "yes". There are many different markets for a product such as yours. The current YubiKey is great for paid service offerings (online tv etc) where you potentially have a few extra viewers watching for free but corporate data is too valuable and harvesting is a definite issue. You should definitely concider it as a seperate product offering.

Wouldn't a second harvested otp work in the two-otps-required scenario.


Top
 Profile  
Reply with quote  
 Post subject: Re: otp harvesting
PostPosted: Thu May 29, 2008 9:43 pm 
Offline

Joined: Thu May 29, 2008 9:44 am
Posts: 21
Re the battery compartment. If you make the units cheap enough then embed the battery in the resin. It preserves the unit's physical integrity / strength and you will have repeat customers as well.


Top
 Profile  
Reply with quote  
 Post subject: Re: otp harvesting
PostPosted: Mon Jun 02, 2008 8:35 am 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
Thanks for your thoughts. We will extend our product line eventually, but right now we focus on getting the most simple to use and most reliable approach "out there".

Note that there are some standards based solutions, like OATH HOTP that also doesn't rely on a clock or challenge response. It is considered good enough by some companies. I do understand (and agree with) your concern that it isn't good enough everywhere though.

Thanks,
Simon


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group