Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:27 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Sun Jan 24, 2016 8:00 pm 
Offline

Joined: Sun Jan 24, 2016 7:15 pm
Posts: 7
I contacted support about this around 4 days ago, but have not received an answer, so I think I need to put this to the community just in case, and also to ease my mind on something that could be a perfectly mundane (but annoying, none-the-less) issue.

The problem I had was with an OTP I generated for a website I use. - I generated the key, saved the new key to one of the key configuration slots, and uploaded it (successfully) to the YubiKey servers. The test also worked, so I proceeded to use it on the website to be secured and all was good (logged-in, logged-out, closed the browser, opened the browser, logged-in again, etc.). Then, a few days later, I found that the OTP was no longer working and that my OTP had been changed - not on my key, but on the site itself. - How did this happen?

My thought is that someone guessed or knew the email address I used with the OTP, and that they generated and uploaded a key to the YubiKey server using that same email address, thereby effectively locking me out of the secured site. - Would this work? - If it would then it would explain what happened, but it would also be a major security concern because, whilst that would not immediately mean that someone could gain access to the secured site, it would still mean that they could, effectively, lock you out of a secured resource very quickly and very easily just by generating and uploading a YubiKey OTP with the same email address to the YubiKey server.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Jan 26, 2016 12:16 am 
Offline

Joined: Sun Jan 24, 2016 7:15 pm
Posts: 7
Well, OK, it might only be a day later, but I have also been waiting a good 5 days for "support" to answer my question, too, so I am going to post this as a way of trashing YubiKey OTP access (for example, locking Facebook employees out of their accounts). If I am wrong then perhaps admin [do we have one(?), or even support (non-existent as far as I can tell)] could actually look into this and make the effort to see if it is actually a problem with the device (YubiKey 4); otherwise maybe they could motivate themselves sufficiently to shed some light on what happened and to the clarify the situation with this issue (if nothing else, so anyone else with a similar issue might actually understand what is happening if they experience the same problem).


Top
 Profile  
Reply with quote  
PostPosted: Mon Feb 01, 2016 10:05 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
One of our support representatives responded to the same I'm assuming you're referring to (case 14428) on January 21, but unfortunately did not mark the case as "public." The comment was resent to you this morning. I'm including the original response here as well:

Are you asking if a second user could upload a Yubico OTP credential at upload.yubico.com using your e-mail address, and if so, would it overwrite the credential you uploaded previously? If so, no, you can upload an infinite number of Yubico OTP credentials and associate them with the same e-mail address. Also, if you try to upload a credential with the same public identity (first 12 characters of the OTP), you will get an error from the upload page that the credential already exists.

Have you tested the output at demo.yubico.com? This page will confirm if the credential you uploaded is actually working, and will allow you to test a Yubico OTP to confirm it is accepted by the YubiCloud.

Also, I'm confused about this part - "my OTP had been changed - not on my key, but on the site itself". The key changed on what site?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group