Yubico Forum
https://forum.yubico.com/

Scenario: A university student is required to have a Yubi...
https://forum.yubico.com/viewtopic.php?f=4&t=44		 Page 1 of 1
Author:  hrag [ Wed May 14, 2008 8:09 pm ]
Post subject:  Scenario: A university student is required to have a Yubi...
Q: Scenario: A university student is required to have a Yubi as an affordable authentication device to use on the university's computer system for registering for courses, etc. The same student decides to get a MashedLife account as well as a ficticious wwwBank account, all of which uses the Yubi system, but none of these servers talk to one another. The student uses the same Username among all of their accounts. The student goes to the Library and logs into their student account on a PC that has been compromised with a key logger. The key logger records the Yubi OTP as well as the Username. Later, the key logger is retrieved by a malicious user which then attempts to use it on popular sites such as MashedLife. What, if anything, would prevent the malicious user from successfully accessing these other accounts?

A: Verification of the OTPs are made on one server holding the appropriate keys and synchronization counters. Trying to replay an intercepted OTP won't work as the server immediately updates the synchronization counters when an OTP is verified. The OTPs are sequenced in such a way that the server can determine in which order they've been generated.

Although more than two independent servers can be used, it lowers the security level quite significantly as the synchronization counters cannot be used. As mentioned, these counters are really a cornerstone of the concept.

The best way in your scenario would be that the second service would forward its OTP to the first one and the authentication is done there. Our authentication server works in that way and anyone can use it to authenticate their OTPs.
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/