Simon wrote:
1. Online validation. The OTP is validated against our server. This requires that the machine always has a working network connection. The user should configure the HMAC-key to use for validation and be able to change the server address (normally api.yubico.com).
2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely.
What do you think?
Thanks,
Simon
1. It a good idea, BUT ONLY if you have a desktop PC with a 100% live internet connection. This case exist only theoretically or in corporate environment.
I have a notebook , and when I go home sometimes its doesnt switch automatically to my wifi net or doesnt switch at all (buggy vista or acer e-net services).
Also sometimes depending on a Windows configuration internet connection may not rise up on the logon screen. So you will need to wait...
I agree that its more secure since the OTP goto server to expire immideately.
2. The only possible attack in this case is that Trojan will record the OTP and send it to bad guy. For this reason, yes I do agree.
Maybe we can mix 1 + 2 , so logon immideately by offile validation, then when user logged on connect with a OTP server in the background to expire otps. If there is no web, then wait for next time. Do you have an API for that on the server?
Login
FAQ
Search
