I've got the question several times regarding the security of a static OTP Yubikey - what if someone finds my key and logs onto my service ?
It is important to understand that the static OTP approach is a compromise and given that the code is static, it is suceptible to eavesdropping, phishing, keyloggers and such threats. However, as the code is long and awkward, it is "by that very nature" less susceptible to be "told over the phone", being written down or being remembered by someone.
The static OTP approach is designed with this security compromise in mind and the target applications are legacy- and off-line applications where dynamic codes won't work.
One simple way to add a two-factor security is to prefix the OTP string with an ordinary password:
1. Assume a static OTP Yubikey yielding the string lhrkgbdufthbhrgulhvlbfuicjgunjbrtntcbeivrkkj
2. Select a password, let's say "foobar"
3. In the enter password field, enter foobar and then emit the static OTP. The string is then foobarlhrkgbdufthbhrgulhvlbfuicjgunjbrtntcbeivrkkj
A variety of this is when it is desired to use the key for more than one service and one don't want to reuse the same password on two sites:
1. Site A has password "foobar" - the password string becomes foobarlhrkgbdufthbhrgulhvlbfuicjgunjbrtntcbeivrkkj
2. Site B has password "barfoo" - the password string becomes barfoolhrkgbdufthbhrgulhvlbfuicjgunjbrtntcbeivrkkj
Although the Yubico validation server does not support it [yet], the same scheme can be used for dynamic OTPs as well. Simply prefix the password with your PIN and you have a pretty good two factor setting.
One can of course add a bit of obfuscation by selecting a modhex-like password string
As a final and closing word - Please understand the strengths and limitations of the static scheme before using it. It is a compromise and in several cases a good one.
Regards,
Jakob E
Hardware- and firmware guy @ Yubico