Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:55 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sat May 08, 2010 4:19 pm 
Offline

Joined: Sat May 08, 2010 4:15 pm
Posts: 3
Hi,

New to yubikey and i'm trying to make a php plugin for StatusNet (just for fun)

I'm a little confused though at how the ->verify($otp) works in the PEAR module. In the examples and the MediaWiki plugin it doesnt seem to map that i have MY Yubikey and not someone elses. What if someone stole my password and had their own Yubikey, wouldnt that verify still pass?

So how do i make that link 1 to 1 between the Yubikey i hold and the user on the site.

I also use LastPass and they had me enter in 1 OTP to "link" it i suppose, though i'm not technically sure how that worked ether, just trying to get my head around how this works.

Thanks!


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sat May 08, 2010 4:47 pm 
Offline

Joined: Sat May 08, 2010 4:15 pm
Posts: 3
Just watched some lastpass screen casts and i think it may have cleared it up for me.

The first 12 chars are a static identifier for that key correct? so i can keep a config table such as
user_id,yubikey_id to do a verification before submitting the web call.

There's no real documentation around this or i missed it (very possible)

Let me know if i'm on the wrong track here.

Thanks,


Top
 Profile  
Reply with quote  
PostPosted: Sat May 08, 2010 7:17 pm 
Offline

Joined: Mon Mar 15, 2010 11:34 pm
Posts: 11
helfire wrote:
Just watched some lastpass screen casts and i think it may have cleared it up for me.

The first 12 chars are a static identifier for that key correct? so i can keep a config table such as
user_id,yubikey_id to do a verification before submitting the web call.

There's no real documentation around this or i missed it (very possible)

Let me know if i'm on the wrong track here.

Thanks,


Yes, the first 12 characters are a static device identifier.

Actually there is quite a lot of documentation available, but it's scattered around many places and pdf documents.

Maybe you will find some information located in my project's docs helpful.


Top
 Profile  
Reply with quote  
PostPosted: Sat May 08, 2010 7:33 pm 
Offline

Joined: Sat May 08, 2010 4:15 pm
Posts: 3
Thanks for the info, the more i poke around the better i'm understanding.

The very simple example just lead me to have these questions.

One other question though, is it best practice to hash the first 12 char identifier? Reading a bit on lastpass it seems thats all they use for offline auth.


Top
 Profile  
Reply with quote  
PostPosted: Sat May 08, 2010 9:07 pm 
Offline

Joined: Mon Mar 15, 2010 11:34 pm
Posts: 11
No problem.

For the offline authentication you need AES as well (only device id does not help you).

And for the AES key you need to re-program your YubiKey.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group