Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 7:23 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Thu Jan 22, 2009 4:49 pm 
Offline

Joined: Thu Jan 22, 2009 10:07 am
Posts: 4
Hi, I have a question.

I generated a one-time password into a text editor. Three and a half hours later, I copy/pasted into this forum's login form, and successfully logged in. Is there a time-limit before these things expire?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Jan 22, 2009 7:32 pm 
Offline

Joined: Wed Jan 21, 2009 9:05 am
Posts: 3
ramonsky wrote:
Is there a time-limit before these things expire?


If I understand it correctly, no. The yubikey has no clock. However, it does have several counters, some of which are reset when you unplug it, while some are stored even when you unplug it. The counters enables the authorization server to keep track of the state of the yubikey. Once you use a OTP, you will not be able to use it again. Additionally, all previous OTPs becomes invalid. This protects against replay attacks.

http://www.yubico.com/technology/description/
http://en.wikipedia.org/wiki/Replay_attack

[edited 2009-01-23 08:45]


Last edited by aff on Fri Jan 23, 2009 8:44 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 22, 2009 7:39 pm 
Offline

Joined: Thu Jan 22, 2009 10:07 am
Posts: 4
Ah, OK. That makes sense.
Thanks


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 28, 2010 4:38 pm 
Offline

Joined: Mon Apr 26, 2010 8:43 am
Posts: 1
But what happens if an attacker manages to get his hands on my keys for long enough to generate a bunch of OTPs?

Like a co-worker who would take advantage of me having coffee for plugin my key on his own computer. What would prevent him from using these OTPs (without my key), except me generating AND validating a new OTP before?

I know that could be mitigated by only leaving the key plugged long enough to authenticate (and then, back in the pocket where it belongs!), but for someone who's keeping a netbook with him, it's only a matter of minutes (if not seconds) to get a bunch of perfectly valid OTPs.

Am I wrong?


Top
 Profile  
Reply with quote  
PostPosted: Sat May 01, 2010 8:54 am 
Offline

Joined: Sat Apr 24, 2010 1:24 am
Posts: 2
olivierm wrote:
But what happens if an attacker manages to get his hands on my keys for long enough to generate a bunch of OTPs?

<<<snip>>>


If I understand correctly, there are three concerns here:

  1. Somebody gets to your machine while it is unlocked and the Yubikey is inserted. The user generates several OTPs, sends them to himself (email, file copy, whatever), and uses them as soon as possible (before you use another OTP). Nobody sees this happen. They do not have very much time to use the OTPs (an hour or less).
  2. Somebody gets to your Yubikey while it is left alone. The user connects the Yubikey to their computer, generates several OTPs, and uses them as soon as possible (before you use another OTP). Nobody sees this happen. They do not have very much time to use the OTPs (an hour or less).
  3. You discover someone playing with your Yubikey (either as part of #1 or #2, or for a different reason). You are not sure if they have generated some OTPs for themselves.

I think the solutions would be different.

For issue #1: On most machines, there is a screen saver which will activate automatically (after some inactivity) or manually (by pressing a button on screen, pressing a special key on the keyboard, or moving the mouse to a specific location). There is another topic, where is discussed a way (in Linux) for the screen saver to automatically activate when you remove your Yubikey from the USB port, and to display the login window when inserting the Yubikey. I think somebody should work on a Windows add-on that does the same thing.

For issue #2: There are two options:

  1. If you use software (like Rohos Login) which uses the Yubikey OTP to log in or unlock the screensaver, then as soon as you return to your computer and unlock it (or log in), the "stolen" OTPs are made useless.
  2. Have a small software program that watches in the background to see if a Yubikey is inserted. Once it is, display a window (or taskbar alert, something unobtrusive) that asks for an OTP. Once an OTP is provided, the window should disappear, and your program should send the OTP to the validation server. You are not actually using the OTP to authenticate to anything, you are just making sure that any "stolen" OTPs are made useless. As a useful feature, warn the user if you get a suspicious error (like an OTP_REPLAYED error).

For issues #1 and #2, if you configure web sites to log you out after a shorter amount of time, this will cause you to use OTPs more often, making any "stolen" OTPs invalid sooner. For example, if you use LastPass Premium (which allows you to use the Yubikey as part of the authentication), if you can configure LastPass to prompt you to log in after unlocking the screensaver, part of the log in process will require an OTP, which will be validated, making any "stolen" OTPs useless!

For issue #3: Yubikey could provide a site (example title: "OTP Check" or "Token Sync") where you provide a OTP. Yubico takes the OTP and checks it against the validation server, instantly making all of the "stolen" OTPs useless.

So, the basic concepts are...

  • Keep the Yubikey with you as much as possible.
  • If you are separated from the Yubikey, when you return, generate and use an OTP as soon as possible!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group