Yubico Forum

Dear Sir or Madam,

i am very new on yubikey, and i am not sure if i have understand the concept of yubikey correctly.
- At first of all i have create an API-Key with my yubikey
- After this, i upload my yubikey config to the yubikey-cloudserver

Now my simple questions:
1. What is the function of the client and secret key?
If i use the demos with my key there are default client id und default secret key, and this works with my yubikey
If i understand it correctly this client id and secret key is for authenticate the application, isn't it? So if i use wrong informations here the yubikey server do not accept the request?
2. If i use the yubicloud for authentification, the yubikey have to register at this cloud, otherwise i use a own yubikey-server?
So every user which want to use the yubikey (web-application) have to register the key at the cloud.

I know there are a lot of questions in this post, but i hope this questions are easy for all yubikey professionals and no one are angry with me and my stupid questions.

Kind regards.

The YubiKey's ship with a key already active with the Yubico authentication servers (YubiCloud). When accessing a site/service that authenticates against the YubiCloud, all you need to do is register your Yubikey to your account. For example, the built in key can be used successfully with the Yubico site/forum, LastPass, Passpack (I believe) and other services w/o having to do any personalizing to the YubiKey. If you personalize with a OTP, you can register this with the YubiCloud (or alternate authentication service).

Question #1: I am not sure what you are referring to by "client" -- if you are referring to the public identity -- this allows services to link your YubiKey to an account (without knowing the encrypted part of the key). The secret key is another method for the authentication server to validate that the key is valid.

For an authentication attempt to be valid (using the standard OTP), the public ID needs to match (to be associated with a given account), the encrypted portion needs to successfully decrypt and validate (CRC16 bit), the session/counter IDs must be higher than a previous authentication attempt and the secret key needs to match. Assuming all of this validates, the authentication server will return that it was a valid request.

Question #2: To use the default key as shipped, you will need to validate against the YubiCloud service. You can change this to your own OTP key (or add a second one using slot 2) via the personalization tool. If you add your own key, it would be possible to upload the credential information to one or more authenication servers.

Thank you for your answer,

i will create the following scenario.
Our webapplication have to use the yubikey for authentification (OTP), so we will buy some yubikeys an give them to our customers.
Every yubikey for our authentivication have to registered at your cloud.
For the login i have to use only one client ID and secret key for all yubikeys?

Thanks a lot for your answer.

Each Yubikey would be unique. Your web application would associate the public ID of each yubikey (the first 12 characters of the OTP string) to the users account and then submit the entire string to the YubiCloud to know if it is valid. There would be no reason to reprogram the individual YubiKeys in this instance.

Check out the Development Guidelines (http://www.yubico.com/development-guidelines) documentation (as well as the existing API/auth modules) for direction on how this gets implimented in your web app.