Yubico Forum

If you use the Identity Prefix to lookup the AES key for decryption, I'm not understanding what purpose the Secret Identifier serves. The spec says to use all zeroes if one is not needed, but can someone give me an example of when I might want to use one?

I understand that the "session counter" in combination with the "session use" is used to determine replay attacks. Why are these fields not combined into one non-volatile counter that goes up with each use. Wouldn't that serve the same purpose?

About the time stamp: Is it only really used when accepting 2 OTPs, one after the other during the same session. I've read articles online that say it guards against phishing attacks, but how?

With regards to the timestamps. I don't think they provide any extra security.
They are there to protect against Phishing (where someone grabs your key and generates a number of OTP which he can use later).
In the case of Yubico keys, these stolen OTP will be valid until a new OTP comes along with a higher session counter.
In their documentation Yubico mentions that to increase security you can ask for 2 OTPs and use the timestamp to ensure they were generated within a given time period. But the attacker is likely to have grabbed more than one OTP.
The server could vary the delay from the first OTP to the request of the second OTP but for practical reasons that can't be very long and once you factor in the 10s grace period (for network delays) this random delay is likely less than the time the attacker had to collect OTPs.

If the above is correct I don't see the point why you would ever validate timestamps.

Could someone at Yubico confirm my assumptions or let me know if they are incorrect?

Regards,
Hani