Yubico Forum

Can someone help me and explain some basic questions

1.) What exactly is OTP used for?

2.) I have my key currently set up for OTP in slot 1, HMAC-SHA login for windows on config 2.
Do I have to choose between HMAC-SHA or OATH-TOTP in config 2? I would love to be able to use all three.

How does one go about setting up OATH 2FA for something like Amazon?

(1) Sites like LastPass, Salesforce, and others. If you don't need this, you could always program a different credential in slot 1 with the Personalization Tool

(2) Assume you're referring to a YubiKey 4 or YubiKey NEO, if so, you can store and access authenticator credentials with Yubico Authenticator (these are time-based, which the YubiKey can't calculate without a companion app, Yubico Authenticator). You can store up to 30 credentials here, give-or-take (depending on factors like the length of the credential name being used).

(3) https://www.amazon.com/gp/help/customer ... =201962420

Adding credentials is virtually identical to adding credentials with Google Authenticator, except the secrets are stored in the YubiKey and you're using Yubico Authenticator as the app instead.

Hi Chris, thanks for the reply.

For your last line, what is the point of using a Yubikey in this config then if the secrets are stored on the Yubikey?

Not sure I understand your question. The purpose of using the YubiKey is that the secret used to generate the TOTP codes remains stored on the secure element (rather than on your hard drive). To actually generate the code, the YubiKey has no knowledge of the current time (no internal battery), so it needs Yubico Authenticator (app) to calculate the code.

Is the secret sent to the Yubikey Authenticator app to calculate the final code/token or is the time sent to the Yubikey to perform the calculation?
If the former, then it is a very important design flaw/vulnerability as it would allow someone to steal the secrets stored on the Yubikey secure element as they are sent to the Yubikey Authenticator app by monitoring the USB and/or the NFC traffic, this could be further automated by a hidden daemon running on the target's phone/computer.

Can you share more details the full process through which the token/codes get generated?

_________________
---
PGP Fingerprint: DF46 8C79 5D1A 76FF 75B2 C345 4679 EDEF 1B5B B192

Public Key:
https://keybase.io/mathieulh/pgp_keys.asc?fingerprint=df468c795d1a76ff75b2c3454679edef1b5bb192

Proof: https://keybase.io/mathieulh

You can find the full specification of the protocol here: https://developers.yubico.com/ykneo-oath/Protocol.html

Once loaded onto a YubiKey the secret never leaves it.