Yubico Forum

So I just got my yubikeys in the mail the other day and I'm just confused on a few parts of it.

First off, when I generate keys with the token, I'm assuming that OTP means they cannot be used again on another service (hence the one time part). However, say a friend or relative borrows my keys for a moment to get into my car and they decide to generate a list of 25 OTPs on their phone while they're away going to my car. Will these all work for them and allow them into my car, or will using one key prevent any keys generated before it from being used? In other words, if I generate 10 keys and save them to a text file, then use my yubikey to login to a site, will the first 10 keys that I saved still be valid or is there a time encoded in it that is updated somewhere (ex. Yubico's API) which won't allow keys generated beforehand?

Secondly, there are two slots on the device, how will it know which configuration to use?

Thirdly, I know you can reprogram your key to do other things, such as enter a static password or act as a TOTP generator. I also know the first slot comes preconfigured and overwriting it will destroy the YubiCloud configuration. I'm guessing this can be reset to work again (after sending the new AES key to the YubiCloud) to act just like it does from the factory?

I want to try customizing one of my devices to see all what it can do and what would be the best approach, however there's no simple "Click to factory restore" option and I can't see what the specific settings are for the device. What is the exact configuration of the devices from factory?

What are the differences between the Yubikey nano and YubiHSM? They look similar but the YubiHSM is 110 times the price, so it's obviously something worth more. I won't be purchasing one anytime soon, I'm just curious is all.

Also, I do have one of each device so you're aware (4, 4 nano, and neo. not the fido)

(1) Once a Yubico OTP is validated, all previously generated OTPs are invalidated. You can test this out by sending a bunch of OTPs to Notepad or something similar, then go to demo.yubico.com and test a new OTP, then paste previously generated one and see that it fails on the test site.

(2) Slot 1 - tap the button. Slot 2 - tap and hold the button for ~ 3 seconds (hold it until something is sent) - if we're talking the YubiKey NEO on Android over NFC, only one of the slots can be used since the device doesn't receive enough power to use button press.

(3) There is no factory reset option. The Yubico OTP credential can be wiped from slot 1 and a new one can be generated and uploaded (https://www.yubico.com/products/service ... ey-upload/), but the original credential cannot be recovered.

The Yubico-generated and customer-generated Yubico OTP credentials are virtually identical - the only difference being that Salesforce requires the Yubico-generated credential. Any other services that I'm aware of will also accept customer-generated Yubico OTP credentials.

Thanks for the information!

As for the OATH-HOTP, does this have the same setup as far as using a key blocks old keys, or is that just the cloud version?

What is the difference between the Yubico OTP and Challenge-Response Yubico OTP?