Yubico Forum
https://forum.yubico.com/

Time delta server project
https://forum.yubico.com/viewtopic.php?f=3&t=419
Page 1 of 1

Author:  olov [ Mon Oct 12, 2009 11:48 am ]
Post subject:  Time delta server project

A reference implementation for using YubiKey time stamps to improve
security is started. The project is hosted at

http://code.google.com/p/yubikey-timedelta-server-php/

A demo server of the project is available at

http://timedelta.yubico.com

Feedback on the demo server is most welcome.
Especially on how the interface is perceived
from a user convenience and security perspective.

-
Olov Danielson
Yubico

Author:  fortean [ Mon Oct 12, 2009 6:09 pm ]
Post subject:  Re: Time delta server project

olov wrote:
A reference implementation for using YubiKey time stamps to improve
security is started. Feedback on the demo server is most welcome. Especially on how the interface is perceived from a user convenience and security perspective.


Hey, Olov,

nice work!

The interface currently does not work with Yubidrone (my G-phone's Yubikey emulation), as I have to switch between 2 apps (Yubidrone and the browser) which currently takes too much time. However, I will (of course) do my very best to circumvent this in some later version of Yubidrone 8-).

A remark: if we were forced to use this method regularly, we would exhaust the key much faster :shock:

Also: this type of 'extra' protection does not help against theft. Indeed, it may even provide a false sense of security; the fact that one has to enter 3 OTP's may look impressive, but if one stole my key, he could simply press the key three times instead of once. I can't underwrite your statement that this is more secure than just pressing the key once, perhaps you'd care to explain this?

Thanks and kind regards,
--
Henk

Author:  olov [ Tue Oct 13, 2009 9:59 am ]
Post subject:  Re: Time delta server project

Hi Henk,

Thanks a lot for your feedback.

fortean wrote:
The interface currently does not work with Yubidrone (my G-phone's Yubikey emulation), as I have to switch between 2 apps (Yubidrone and the browser) which currently takes too much time. However, I will (of course) do my very best to circumvent this in some later version of Yubidrone 8-).


The allowed timespan between multiple OTPs is set to a value, currently 4 seconds. Maybe that's a bit to tight. I hope to gather some statistics on the demo site in order to come up
with a reasonable default value for this timespan.

fortean wrote:
Also: this type of 'extra' protection does not help against theft. Indeed, it may even provide a false sense of security; the fact that one has to enter 3 OTP's may look impressive, but if one stole my key, he could simply press the key three times instead of once. I can't underwrite your statement that this is more secure than just pressing the key once, perhaps you'd care to explain this?


True. I'll also add an example interface where the OTPs are supplied in the order of the user's pin code. This provides at least some protection for a stolen key as well as added security against eavesdropping since the OTPs will be transmitted in unknown order over Internet.

Best Regards,
Olov

Author:  fortean [ Fri Oct 16, 2009 2:31 pm ]
Post subject:  Re: Time delta server project

olov wrote:
Hi Henk,

Thanks a lot for your feedback. [...] True. I'll also add an example interface where the OTPs are supplied in the order of the user's pin code. This provides at least some protection for a stolen key as well as added security against eavesdropping since the OTPs will be transmitted in unknown order over Internet.


OTOH, one might argue that now a cracker has 4 OTPs from the same key so in effect it is LESS secure.

If you want to protect users against theft of their keys, simply add a second factor, e.g. a pincode, passphrase, mandatory client side certificate, TAN code etc. etc.

Author:  olov [ Mon Oct 19, 2009 10:10 am ]
Post subject:  Re: Time delta server project

fortean wrote:
OTOH, one might argue that now a cracker has 4 OTPs from the same key so in effect it is LESS secure.

Interesting point, from this perspective it might be good to always validate the first
OTP against the validation server before the next OTP is requested. It might though
add some inconvenience for the user who needs to wait for the validation process
before the next OTP can be entered.
fortean wrote:
If you want to protect users against theft of their keys, simply add a second factor, e.g. a pincode, passphrase, mandatory client side certificate, TAN code etc. etc.

Yes, this is certainly an option.

Regards,
/Olov

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/