zzap wrote:
But for an attacker it doesn't matter if the token is present, of course.
Yubico people: The way you described this bug causes a lot of confusion because of this counter intuitive notion about sessions. You should clarify and remember that your users do not begin with an understanding of the internal details of your algorithms!
I am going to try re-stating the bug cases in a different way to see if it is any easier to understand. Please correct me if I'm wrong:
This bug has nothing to do with whether the key is plugged in at the time of attack. A more clear way to state it is: if you always follow the behavior to only generate one OTP at a time and then unplug your key, the OTPs you generate will never trigger the bug case in the service. Therefore, an attacker who has access to all those OTP strings will not find them at all useful, since they cannot cause the server bug.
But any time you generate more than one OTP while still leaving the key plugged in, then those OTPs are of a kind that could trigger the bug. An attacker who collects those OTPs could use one or more of them as valid in the future. Once you plug in and validate the real key again, that last attack window closes. It causes the replayable OTPs "expire" so to speak.
Anyway, all this will be moot with the fixed server code. I am only trying to help increase understanding about the nature and scope of the found bug.