Yubico Forum

Hi,

New to yubikey and i'm trying to make a php plugin for StatusNet (just for fun)

I'm a little confused though at how the ->verify($otp) works in the PEAR module. In the examples and the MediaWiki plugin it doesnt seem to map that i have MY Yubikey and not someone elses. What if someone stole my password and had their own Yubikey, wouldnt that verify still pass?

So how do i make that link 1 to 1 between the Yubikey i hold and the user on the site.

I also use LastPass and they had me enter in 1 OTP to "link" it i suppose, though i'm not technically sure how that worked ether, just trying to get my head around how this works.

Thanks!

Just watched some lastpass screen casts and i think it may have cleared it up for me.

The first 12 chars are a static identifier for that key correct? so i can keep a config table such as
user_id,yubikey_id to do a verification before submitting the web call.

There's no real documentation around this or i missed it (very possible)

Let me know if i'm on the wrong track here.

Thanks,

Yes, the first 12 characters are a static device identifier.

Actually there is quite a lot of documentation available, but it's scattered around many places and pdf documents.

Maybe you will find some information located in my project's docs helpful.

Thanks for the info, the more i poke around the better i'm understanding.

The very simple example just lead me to have these questions.

One other question though, is it best practice to hash the first 12 char identifier? Reading a bit on lastpass it seems thats all they use for offline auth.

No problem.

For the offline authentication you need AES as well (only device id does not help you).

And for the AES key you need to re-program your YubiKey.