Yubico Forum

Hi,

Do you plan on producing a yubikey that has a timer in it so that some sort of time code can come from the key? This would stop a key being "borrowed" and the otps being harvested. These keys would be valid until the user authenticates again using the real key.

Are you refering to some kind of constantly running timer ?

That would add additional protection against harvesting, but with the downside of requiring a battery.

Batteries = cost + limited shelf life + large source of failures + requires battery compartment + additional regulatory burden (at least here in the EU).

A service requiring OTPs to be sent twice during a session can add protection against harvesting. We beleive that is a good compromise given that we get rid of the battery.

Regards,

Jakob E
Firmware and Hardware guy @ Yubico

Sure there would be some downsides to having a battery but I don't think they are that onerous. It would probably add 20% to the cost and last 3 years. This is not such a cost compared to the value of the information being protected. It would mean that you / I could answer the question "is this as secure as a football / dongle" with a "yes". There are many different markets for a product such as yours. The current YubiKey is great for paid service offerings (online tv etc) where you potentially have a few extra viewers watching for free but corporate data is too valuable and harvesting is a definite issue. You should definitely concider it as a seperate product offering.

Wouldn't a second harvested otp work in the two-otps-required scenario.

Re the battery compartment. If you make the units cheap enough then embed the battery in the resin. It preserves the unit's physical integrity / strength and you will have repeat customers as well.

Thanks for your thoughts. We will extend our product line eventually, but right now we focus on getting the most simple to use and most reliable approach "out there".

Note that there are some standards based solutions, like OATH HOTP that also doesn't rely on a clock or challenge response. It is considered good enough by some companies. I do understand (and agree with) your concern that it isn't good enough everywhere though.

Thanks,
Simon