Yubico Forum

Hey.

So, I own a couple yubikeys, but only one NEO. Started playing around with that one today and managed to upload some gpg keys, set up ssh authentication using the authentication key and just migrated my Google TFA details to the OATH applet/the yubico authenticator app on Android (or _off_ Android?).

Great stuff. Now I want more..

TOTP seems to be the nicest option (see below for my reasoning). Question time!

- TOTP seems to be supported by the ykneo-oath applet. Is that true or is that applet basically offering challenge/response and the yubico authenticator 'cheats'/provides the time (as in [1])?

- How many secrets can that applet store? If I want lastpass, fastmail, google, random servers of mine .. what's the limit? Tried only one so far, but the limitations would be great to know and define how useful that'd be for my uses.

- Is there a way to expose that otp somehow, with a console app? I'm trying to figure out if I can use 'standard' totp services, store the secret on the yubikey and have a portable 'give me the totp for service "foo"'. Basically the yubico authenticator, but the (Linux) laptop version when I don't have the phone in reach/the battery's dead/I'd like to copy and paste instead of reading off my mobile's screen?

Thanks a lot for your help/input,
Ben

A bit of history/rationale:
Previously I wasn't using it (the NEO, or the previous Yubikeys) for lots of services, because

- OATH was limited to HOTP (vs. TOTP). Requiring a counter doesn't work if you want to access multiple machines/services - you can't keep it in sync. The token itself doesn't support TOTP and the only workaround was something like [1]

- Challenge/Response doesn't work without explicit protocol support (I cannot use that with my mail client for example)

- Yubico OTP is no option - that doesn't work for filtered internet access/intranet services/offline stuff. I tried running my own validation server in the past, but that was quite a challenge.

- I never understood the 'static password' feature, to be honest..

1: https://www.yubico.com/applications/int ... ces/gmail/

No, it is a real OATH applet. Check https://github.com/Yubico/ykneo-oath and read documentation


You can have many, I have 50 and there is plenty of space left.


check out the yubico authenticator desktop version of the command line client
https://github.com/Yubico/ykneo-oath/bl ... /client.pl

_________________
-Tom

Oh. I think I was phrasing my question in a crappy way. Looking at the client.pl now it seems that I was correct with my assumption (needs input/the current time for TOTP, which makes sense: It has no battery or state as far as I'm aware), I was just bad at describing them.



That's amazing. And this isn't something entirely new, right? neo vs. neo-n are roughly comparable here (I assume you use the latest and greatest, looking at neo-n tokens)?



This made my day. Sorry that I missed it earlier, I should have noticed that before. That is _amazing_.
Thanks a lot for your time.