A reference implementation for using YubiKey time stamps to improve
security is started. Feedback on the demo server is most welcome. Especially on how the interface is perceived from a user convenience and security perspective.

The interface currently does not work with Yubidrone (my G-phone's Yubikey emulation), as I have to switch between 2 apps (Yubidrone and the browser) which currently takes too much time. However, I will (of course) do my very best to circumvent this in some later version of Yubidrone .

Also: this type of 'extra' protection does not help against theft. Indeed, it may even provide a false sense of security; the fact that one has to enter 3 OTP's may look impressive, but if one stole my key, he could simply press the key three times instead of once. I can't underwrite your statement that this is more secure than just pressing the key once, perhaps you'd care to explain this?

Hi Henk,

Thanks a lot for your feedback. [...] True. I'll also add an example interface where the OTPs are supplied in the order of the user's pin code. This provides at least some protection for a stolen key as well as added security against eavesdropping since the OTPs will be transmitted in unknown order over Internet.

OTOH, one might argue that now a cracker has 4 OTPs from the same key so in effect it is LESS secure.

If you want to protect users against theft of their keys, simply add a second factor, e.g. a pincode, passphrase, mandatory client side certificate, TAN code etc. etc.