|
Q: What if an unauthorized person takes my YubiKey when I'm not looking and uses it then returns it? Does this mean that they have access until I log in again? How do I prevent something like that?
A: The first countermeasure is to use a two-factor approach, i.e. combining the token with a PIN or a password.
If there is a store-replay concern as you mention above, a good countermeasure is to ask for the user to supply an OTP more than one time during a session. The token has a second timer and the validating application can use this counter to calculate the delta between two OTPs during one session. Consider a service where the user uses the token to log in. After a "make a payment" request, the server asks for a second confirmation OTP. The server will then measure the token's reported delta vs. the expected. If they match, the transaction is committed.
|
Login
FAQ
Search
