Hey guys,
We are using the Yubicloud OTP service to validate YubiKeys for our users. We've come to discover that the OTP service with YubiKeys only works properly with qwerty keyboards.
To help mitigate this for our non-qwerty users we are planning on the following solution:
1. Detect if the OTP token is qwerty, dvorak, or colemak.
2. If not qwerty, do a simple transform based on the key maps back to qwerty (ex.
https://awsm-tools.com/text/keyboard-layout)
3. Validate with OTP APIs using the qwerty token like normal.
The problem we've come to in this solution is how to properly handle step #1. From the OTP token alone, is there a way to reliably determine what type of keyboard it was generated with?
Looking at
https://developers.yubico.com/OTP/OTPs_Explained.html and my own OTPs it would seem that the public ID of the YubiKey (first 12 characters) may offer some help. For example, does this ID always start with "c"? If so we could look at that and if it started with "j", we would now know that it is a Dvorak keyboard. This solution would fail for Colemak keyboards though since "c" is mapped to "c".
Is there any advise you can give about the make-up of the OTP tokens that would make this detection possible?
Thanks!