Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:11 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Confused beginner
PostPosted: Thu Aug 18, 2016 11:11 am 
Offline

Joined: Thu Aug 18, 2016 10:59 am
Posts: 2
Can someone help me and explain some basic questions

1.) What exactly is OTP used for?

2.) I have my key currently set up for OTP in slot 1, HMAC-SHA login for windows on config 2.
Do I have to choose between HMAC-SHA or OATH-TOTP in config 2? I would love to be able to use all three.

How does one go about setting up OATH 2FA for something like Amazon?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

 Post subject: Re: Confused beginner
PostPosted: Thu Aug 18, 2016 4:42 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
(1) Sites like LastPass, Salesforce, and others. If you don't need this, you could always program a different credential in slot 1 with the Personalization Tool

(2) Assume you're referring to a YubiKey 4 or YubiKey NEO, if so, you can store and access authenticator credentials with Yubico Authenticator (these are time-based, which the YubiKey can't calculate without a companion app, Yubico Authenticator). You can store up to 30 credentials here, give-or-take (depending on factors like the length of the credential name being used).

(3) https://www.amazon.com/gp/help/customer ... =201962420

Adding credentials is virtually identical to adding credentials with Google Authenticator, except the secrets are stored in the YubiKey and you're using Yubico Authenticator as the app instead.


Top
 Profile  
Reply with quote  
 Post subject: Re: Confused beginner
PostPosted: Thu Aug 18, 2016 5:45 pm 
Offline

Joined: Thu Aug 18, 2016 10:59 am
Posts: 2
ChrisHalos wrote:
(1) Sites like LastPass, Salesforce, and others. If you don't need this, you could always program a different credential in slot 1 with the Personalization Tool

(2) Assume you're referring to a YubiKey 4 or YubiKey NEO, if so, you can store and access authenticator credentials with Yubico Authenticator (these are time-based, which the YubiKey can't calculate without a companion app, Yubico Authenticator). You can store up to 30 credentials here, give-or-take (depending on factors like the length of the credential name being used).

(3) https://www.amazon.com/gp/help/customer ... =201962420

Adding credentials is virtually identical to adding credentials with Google Authenticator, except the secrets are stored in the YubiKey and you're using Yubico Authenticator as the app instead.



Hi Chris, thanks for the reply.

For your last line, what is the point of using a Yubikey in this config then if the secrets are stored on the Yubikey?


Top
 Profile  
Reply with quote  
 Post subject: Re: Confused beginner
PostPosted: Thu Aug 18, 2016 11:46 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
Not sure I understand your question. The purpose of using the YubiKey is that the secret used to generate the TOTP codes remains stored on the secure element (rather than on your hard drive). To actually generate the code, the YubiKey has no knowledge of the current time (no internal battery), so it needs Yubico Authenticator (app) to calculate the code.


Top
 Profile  
Reply with quote  
 Post subject: Re: Confused beginner
PostPosted: Wed Dec 07, 2016 2:27 pm 
Offline

Joined: Fri Mar 20, 2015 4:35 pm
Posts: 4
ChrisHalos wrote:
Not sure I understand your question. The purpose of using the YubiKey is that the secret used to generate the TOTP codes remains stored on the secure element (rather than on your hard drive). To actually generate the code, the YubiKey has no knowledge of the current time (no internal battery), so it needs Yubico Authenticator (app) to calculate the code.


Is the secret sent to the Yubikey Authenticator app to calculate the final code/token or is the time sent to the Yubikey to perform the calculation?
If the former, then it is a very important design flaw/vulnerability as it would allow someone to steal the secrets stored on the Yubikey secure element as they are sent to the Yubikey Authenticator app by monitoring the USB and/or the NFC traffic, this could be further automated by a hidden daemon running on the target's phone/computer.

Can you share more details the full process through which the token/codes get generated?

_________________
---
PGP Fingerprint: DF46 8C79 5D1A 76FF 75B2 C345 4679 EDEF 1B5B B192

Public Key:
https://keybase.io/mathieulh/pgp_keys.asc?fingerprint=df468c795d1a76ff75b2c3454679edef1b5bb192

Proof: https://keybase.io/mathieulh


Top
 Profile  
Reply with quote  
 Post subject: Re: Confused beginner
PostPosted: Thu Dec 08, 2016 5:19 pm 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
You can find the full specification of the protocol here: https://developers.yubico.com/ykneo-oath/Protocol.html

Once loaded onto a YubiKey the secret never leaves it.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Google [Bot] and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group