Yubico Forum

I just installed the ykneo-oath applet on the NEO. It works fine with the Yubikey Authenticator app on Android. Really cool.

I wonder what is used as the private key? There must be a way to programmatically set the key, in order to "clone" a lost Yubikey to a new one. Can anyone shed some light on this?

Thanks.

The private key is stored inside the secure element of the NEO, and can not be extracted from the device. To create a clone, it is advised to store a copy of the QR code used for programming, which contains the private key and is how the key gets onto the NEO in the first place. It can then be used to program another NEO at a later time.

I was under the wrong assumption that OATH works with an additional secret stored on the device. But on a second thought, that makes no sense. The QR codes contain the whole key and the Yubikey just stores them securely. Thanks for clarifying!

How would one recover the secret key based on the QR code?

You can e.g. use the ZXing Barcode Scanner (https://play.google.com/store/apps/details?id=com.google.zxing.client.android&hl=de) to scan the QR code. It will show you the text representation, which includes a parameter secret=xxxxx.