Yubico Forum
https://forum.yubico.com/

Support for unlimited HOTPs / TOTPs
https://forum.yubico.com/viewtopic.php?f=12&t=2265
Page 1 of 1

Author:  brian_sm [ Wed Mar 23, 2016 4:41 pm ]
Post subject:  Support for unlimited HOTPs / TOTPs

I have a plethora of TOTP accounts, currently on my smartphone.

Unfortunately the standard Yubikey has only two slots for OATH HOTP/TOTP(*). I believe that more recent devices will store 28-32 credentials(**).

It would be great if the Yubikey could handle an unlimited number of TOTP accounts in a secure way. I believe this should be possible by two operations:

1. pass in the initial secret, encrypt it with an (internal) AES key, return the encrypted secret
2. pass in the encrypted secret plus challenge or timestamp, return the HMAC-SHA1 response

Then an unlimited number of encrypted secrets could be stored safely in host storage, or even backed up to the cloud, but not usable without the companion Yubikey.

Perhaps this is entering too close into YubiHSM territory? But if it were limited to just HMAC-SHA1 types of operations I don't think it would be usable for encryption.

Thanks,

Brian.

(*) The document at https://www.yubico.com/wp-content/uploa ... -Setup.pdf says:
"All YubiKey hardware can support the OATH-TOTP standard authentication method ...
This method utilizes one of the two configuration slots for a single site; no more than 2 sites or services
can be supported on a single YubiKey"

... but doesn't mention that keys other than Yubikey Standard/Edge may support a different method.

(**) At https://www.yubico.com/faq/how-many-cre ... enticator/
it says "You can store up to 32 OATH credentials (TOTP or HOTP) on the YubiKey and access them using the Yubico Authenticator companion application."

From earlier context in the paragraph, I think "the YubiKey" here must be referring to the YubiKey 4.

At https://developers.yubico.com/yubioath-desktop/ it says it supports
"both slot-based credentials (compatible with any YubiKey that supports OTP) as well as the more powerful standalone OATH functionality of the YubiKey NEO"
... but makes no mention of the YubiKey 4.

This is an area of documentation which I think could do with some tidying up. Reading between the lines, I *think* that the YubiKey 4 has the same "new" OATH capabilities as the YubiKey NEO, except with 32 slots instead of 28.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/