Yubico Forum
https://forum.yubico.com/

Create Backup YubiKey NEO?
https://forum.yubico.com/viewtopic.php?f=26&t=1554
Page 1 of 2

Author:  drohm [ Sun Oct 26, 2014 8:02 pm ]
Post subject:  Create Backup YubiKey NEO?

I have a couple older NEO's that I purchased in March 2014. I just got another NEO last week with U2F and wanted to know if it was possible to use the older NEO's as backup in case I lose my new NEO. I'm using it with sites like (2 factor auth):

Google
Microsoft
Dropbox
GitHub
etc...

These sites are all setup on my new NEO and working great. What I'd like to do is be able to have this same information on one of my old NEO's for emergency backup. Is this possible? I read elsewhere on the forums here that you could write the same values to different YubiKeys using the Personalization tool, but I'm not sure how to do that and if it's the correct way to do what I'd like to do (make a backup NEO).

Thanks for any help.

Author:  Aggraxis [ Mon Oct 27, 2014 3:20 am ]
Post subject:  Re: Create Backup YubiKey NEO?

You can't pull the config out of a NEO, but I kept all of my modhex 'secret' words from my various accounts when I set up the time-based codes. When I got my new NEO with U2F I just pulled out my cheat sheet and set up all my accounts using the desktop yubico authenticator program. Things like the Yubico OTPs and the GPG cards are stuck in there, presumably so someone couldn't just steal your key and clone it.

Author:  drohm [ Mon Oct 27, 2014 6:19 am ]
Post subject:  Re: Create Backup YubiKey NEO?

So you're saying if you kept all the secret keys when setting up the accounts you could create them on the new NEO and it would work?

Author:  drohm [ Mon Oct 27, 2014 6:32 am ]
Post subject:  Re: Create Backup YubiKey NEO?

I'm also noticing that I can only use the Android authenticator app to generate my OTP's for all my sites. The OTP's generated with the desktop authenticator doesn't work. Shouldn't it work with both apps with the same NEO of course.

I enabled all three modes on the NEO using the ykpersonalize command-line tool: ykpersonalize -m6

Is that the reason why it doesn't work with both authenticator apps?

Author:  brendanhoar [ Mon Oct 27, 2014 12:30 pm ]
Post subject:  Re: Create Backup YubiKey NEO?

drohm wrote:
So you're saying if you kept all the secret keys when setting up the accounts you could create them on the new NEO and it would work?


Yes.

drohm wrote:
I'm also noticing that I can only use the Android authenticator app to generate my OTP's for all my sites. The OTP's generated with the desktop authenticator doesn't work. Shouldn't it work with both apps with the same NEO of course.


Is your clock time/zone set correctly on the desktop/laptop?

B

Author:  drohm [ Mon Oct 27, 2014 3:26 pm ]
Post subject:  Re: Create Backup YubiKey NEO?

Yes, US Eastern, but I noticed this:

Desktop: UTC-0500 Eastern Time (US & Canada)
Phone: GMT-4:00 Eastern Time

Could this be causing the problem? Those are the only "eastern time" options I have for either device. My desktop is running Windows 8.1 x64 and my phone is Android Kit Kat 4.4.4.

Author:  brendanhoar [ Mon Oct 27, 2014 4:15 pm ]
Post subject:  Re: Create Backup YubiKey NEO?

drohm wrote:
Yes, US Eastern, but I noticed this:

Desktop: UTC-0500 Eastern Time (US & Canada)
Phone: GMT-4:00 Eastern Time

Could this be causing the problem? Those are the only "eastern time" options I have for either device. My desktop is running Windows 8.1 x64 and my phone is Android Kit Kat 4.4.4.


I have the same exact time zones (in DC).

Are your dates correct? Time within a few seconds? AM/PM correct?

B

Author:  drohm [ Mon Oct 27, 2014 4:26 pm ]
Post subject:  Re: Create Backup YubiKey NEO?

The desktop is 2-3 minutes faster than the phone: 11:27am vs 11:25am.

Author:  hazza [ Mon Oct 27, 2014 4:31 pm ]
Post subject:  Re: Create Backup YubiKey NEO?

OATH codes are generated every 30 seconds, so your devices need to be within this range of true UTC, otherwise the generated codes will be too early/out-of-date.

Phones should be accurate, as they get their time synchronisation from the mobile network. You will need to check your NTP settings on your PC to make sure it is correctly synced.

Author:  brendanhoar [ Mon Oct 27, 2014 5:05 pm ]
Post subject:  Re: Create Backup YubiKey NEO?

hazza wrote:
OATH codes are generated every 30 seconds, so your devices need to be within this range of true UTC, otherwise the generated codes will be too early/out-of-date.

Phones should be accurate, as they get their time synchronisation from the mobile network. You will need to check your NTP settings on your PC to make sure it is correctly synced.


What hazza said is correct. OATH TOTP requires both the client and server to have nearly synchronized clocks. The yubikey doesn't have a clock, so the yubico authenticator client provides the local host time to the yubikey for the calculation. If the local host is incorrect (that is, not synchronized with the server that wishes to authenticate you through TOTP), then the OTP produced will not be recognized by the server.

Ensure your desktop/laptop is syncing the clock to a known good NTP server/cluster.

B

Page 1 of 2 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/