| Yubico Forum https://forum.yubico.com/ |
|
| Reusing OTP passwords https://forum.yubico.com/viewtopic.php?f=3&t=251 |
Page 1 of 3 |
| Author: | ryan [ Fri Feb 06, 2009 12:53 am ] |
| Post subject: | Reusing OTP passwords |
Hello! I just received a Yubikey and I have been playing with it on MashedLife and the api server. I am able to reuse one-time-passwords by cycling through a unique OTPs. Maybe I am missing something so I am hoping someone can help me out. Here is what I did: 1) Open a text editor Press the button on the Yubikey two times to get two OTPs. 2) Goto these URLS: http://api.yubico.com/wsapi/verify?id=16&otp=<PASTE OTP1 HERE> http://api.yubico.com/wsapi/verify?id=16&otp=<PASTE OTP2 HERE> 3) That should have used both the OTPs. Now do it again: http://api.yubico.com/wsapi/verify?id=16&otp=<PASTE OTP1 HERE> This returns status OK. http://api.yubico.com/wsapi/verify?id=16&otp=<PASTE OTP2 HERE> This returns status OK. As long as I dont use the same OTP twice in a row, I can just cycle between the two and I always get a response code of "OK". Is this the expected behaviour or is something broke? I confirmed this by logging into MashedLife by rotating through the passwords. Thanks! Ryan |
|
| Author: | Dick [ Fri Feb 06, 2009 2:29 am ] |
| Post subject: | Re: Reusing OTP passwords |
FYI Tried the same thing, got the same result. Dick |
|
| Author: | ryan [ Fri Feb 06, 2009 3:15 am ] |
| Post subject: | Re: Reusing OTP passwords |
Yeah, this is pretty disconcerting. I've been able to use an OTP replay attack on a few sites now (as long as I get two OTPs). This makes sense because the API is returning the OK status. I've emailed Yubico and hopefully once its daylight in Sweden we will get a response. If I get time Ill take a peak at the auth-server code and see if I notice anything. My understanding was that the OTP had a timestamp in it and the auth-server kept track of the last valid timestamp and would not allow anything to be used before that time. -Ryan |
|
| Author: | PatrickN [ Fri Feb 06, 2009 10:49 am ] |
| Post subject: | Re: Reusing OTP passwords |
The OTP does indeed have a timestamp in it as well as a use count, but it is up to the server whether to make use of these to detect replays. Sounds like the servers you tried do not. |
|
| Author: | ryan [ Fri Feb 06, 2009 4:23 pm ] |
| Post subject: | Re: Reusing OTP passwords |
I tried the API server run by Yubico. Without checking the timestamp and use count this isnt really OTP. I should be able to paste 2+ of my *used* OTPs to this forum without fear but I cannot.... you would be able to access my MashedLife and Forum account. Sure I can and should use a pin, but that is beside the point. I will setup my own Auth server, but I would hope that Yubico will change the settings on their public server because a lot of services use it. Ryan |
|
| Author: | cmoates [ Fri Feb 06, 2009 11:34 pm ] |
| Post subject: | Re: Reusing OTP passwords |
Wow, this is really bad. No word from Yubico? |
|
| Author: | Jakob [ Sat Feb 07, 2009 1:02 am ] |
| Post subject: | Re: Reusing OTP passwords |
Oh-la-la... I believe we got an issue here... We'll check it out immediately. Regards, Jakob E Hardware- and firmware guy @ Yubico |
|
| Author: | ryan [ Sat Feb 07, 2009 6:41 am ] |
| Post subject: | Re: Reusing OTP passwords |
Any word on this issue? Do you guys have a formal test/QA process? Do you run the latest opensourced version of the server? The company I work for is trying to find good solutions for 2 factor authentication and I recommended we try Yubikeys. We will run our own authentication server, but it is still important to us that Yubico act responsibly and securely. It would be a shame to ask our customers to use Yubikeys only to see Yubico have major issues or go out of business. I understand the occasional bug, but this is fairly significant issue and it does not seem to be high-priority. I understand that Yubico is a startup, but these are the questions my management will be asking me and I need to be able to justify our use of yubikeys. Thanks Ryan |
|
| Author: | Dick [ Sat Feb 07, 2009 7:27 am ] |
| Post subject: | Re: Reusing OTP passwords |
By my calculations, it was the middle of the night in Sweden when JakobE posted his message in this thread. I'd be very surprised if we don't see a prompt response. Dick |
|
| Author: | JohnK [ Sat Feb 07, 2009 9:00 am ] |
| Post subject: | Re: Reusing OTP passwords |
ryan wrote: Any word on this issue? Do you guys have a formal test/QA process? Do you run the latest opensourced version of the server? ......... I understand that Yubico is a startup, but these are the questions my management will be asking me and I need to be able to justify our use of yubikeys. Thanks Ryan Guys, be patient! This is the nature of open source and start-ups. Especially in Yubico everyone is working part-time (I met them in the Identity conference). Staff seems to be in India as I just found (http://www.networkmarvels.com/contact.html). Everyone is doing their best with their part-time effort. But just like MySQL, it takes time to mature. Good job |
|
| Page 1 of 3 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|