Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:15 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Tue Sep 13, 2016 1:09 pm 
Offline

Joined: Wed Apr 27, 2016 11:44 pm
Posts: 7
Could a potential attacker be able to store the output from a Yubikey that he would temporarily have in his possession and then use that output to login into a Bitlocker-protected Windows 10 machine with the Yubikey login tool?

What about storing an OTP for later use to authenticate other things like Lastpass?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Sep 13, 2016 3:43 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
I assume you're referring to...

HMAC-SHA1 Challenge-Response (Windows Login) - No, Challenge-Response doesn't emit any text like OTP does, and the secrets can't be read off the YubiKey.

Yubico OTP (LastPass) - Yes and no, depending on the use case. Yes, if someone gets your YubiKey and sends an OTP to to their e-mail (for example), they could use this later UNLESS you have validated again since the OTP was generated. Validating a newly generated OTP invalidates all previously generated OTP.

So basically, if you believe someone might have grabbed an OTP, just go to demo.yubico.com as soon as possible and test single-factor. Running this test will invalidate any previously generated OTPs.


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 15, 2016 1:58 am 
Offline

Joined: Wed Apr 27, 2016 11:44 pm
Posts: 7
Would there be a way to find out if an OTP was generated without being used yet?

I'm assuming that the OTP is only verified through a Yubico server or some central server on the Internet?


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 15, 2016 4:30 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
There is no way to determine if additional OTPs were generated between the last successful authentication


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group