Yubico Forum
https://forum.yubico.com/

URGENT: Is it possible to fetch the static password?
https://forum.yubico.com/viewtopic.php?f=16&t=474
Page 1 of 1

Author:  Globan [ Tue Jan 26, 2010 8:15 pm ]
Post subject:  URGENT: Is it possible to fetch the static password?

Hi,

I have a client who is interested in buying Yubikeys but he is already using a USB software lock on his software (they are software providers with 2000 customers) and wonders if it's possible to use yubikey as a software lock (dongle) as well. They fetch a security code from inside the usb lock, so down to my questions:

Is it possible to do the same with yubikey?
As I understand, OTPs are generated when you push the button, but can it be generated in other way, i.e by a software command? If not, can we fetch static password?

This would be a great solution to use yubikey both as it is (user authentication) and as software lock.

If this is not possible today, is it something Yubico can plan for?

I appreciate your answers.

Cheers.

Author:  Jakob [ Wed Jan 27, 2010 12:11 am ]
Post subject:  Re: URGENT: Is it possible to fetch the static password?

Assuming that I got you correctly, you're actually preempting some features that "are in the oven" at present. Among some other things :)

We will provide support for a static identity that can be read via the USB descriptors, where each Yubikey will be serialized with a unique number. This number will then reflect the serial number that is present on the sticker. For anyone who would prefer a more "anonymous" mode, this serial number can be hidden. We will however ensure that all devices are serialized at time of manufacturing.

Maybe this simple function would be sufficient for the application you're calling for ? By simply using standard OS API calls, the serial number can then be read and used as a very basic identification means for a particular user. It probably goes without saying that this number can be spoofed, someone can make a fake Yubikey with the same number, a hook in the driver chain could mimic a genuine Yubikey etc.

As an alternative, we'll provide support for challenge-response via API calls. This is a configurable option on a per configuration slot basis so anyone who don't want the feature can turn it off. This allows a client application to pro grammatically interact with the Yubikey, which is useful in certain configurations.

As the question has been brought up, we're planning to test out the functionality with some selected customers. Please let me know if you have a particular application in mind and would like to participate. Please send me an e-mail at jakob at yubico dot com and give a short description of the use case and we'll provide a sample key with sample code when we have it available for beta testing.

With the best regards,

JakobE
Hardware- and firmware guy @ Yubico

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/