Yubico Forum
https://forum.yubico.com/

Confused beginner
https://forum.yubico.com/viewtopic.php?f=35&t=2398
Page 1 of 1

Author:  spindown [ Thu Aug 18, 2016 11:11 am ]
Post subject:  Confused beginner

Can someone help me and explain some basic questions

1.) What exactly is OTP used for?

2.) I have my key currently set up for OTP in slot 1, HMAC-SHA login for windows on config 2.
Do I have to choose between HMAC-SHA or OATH-TOTP in config 2? I would love to be able to use all three.

How does one go about setting up OATH 2FA for something like Amazon?

Author:  ChrisHalos [ Thu Aug 18, 2016 4:42 pm ]
Post subject:  Re: Confused beginner

(1) Sites like LastPass, Salesforce, and others. If you don't need this, you could always program a different credential in slot 1 with the Personalization Tool

(2) Assume you're referring to a YubiKey 4 or YubiKey NEO, if so, you can store and access authenticator credentials with Yubico Authenticator (these are time-based, which the YubiKey can't calculate without a companion app, Yubico Authenticator). You can store up to 30 credentials here, give-or-take (depending on factors like the length of the credential name being used).

(3) https://www.amazon.com/gp/help/customer ... =201962420

Adding credentials is virtually identical to adding credentials with Google Authenticator, except the secrets are stored in the YubiKey and you're using Yubico Authenticator as the app instead.

Author:  spindown [ Thu Aug 18, 2016 5:45 pm ]
Post subject:  Re: Confused beginner

ChrisHalos wrote:
(1) Sites like LastPass, Salesforce, and others. If you don't need this, you could always program a different credential in slot 1 with the Personalization Tool

(2) Assume you're referring to a YubiKey 4 or YubiKey NEO, if so, you can store and access authenticator credentials with Yubico Authenticator (these are time-based, which the YubiKey can't calculate without a companion app, Yubico Authenticator). You can store up to 30 credentials here, give-or-take (depending on factors like the length of the credential name being used).

(3) https://www.amazon.com/gp/help/customer ... =201962420

Adding credentials is virtually identical to adding credentials with Google Authenticator, except the secrets are stored in the YubiKey and you're using Yubico Authenticator as the app instead.



Hi Chris, thanks for the reply.

For your last line, what is the point of using a Yubikey in this config then if the secrets are stored on the Yubikey?

Author:  ChrisHalos [ Thu Aug 18, 2016 11:46 pm ]
Post subject:  Re: Confused beginner

Not sure I understand your question. The purpose of using the YubiKey is that the secret used to generate the TOTP codes remains stored on the secure element (rather than on your hard drive). To actually generate the code, the YubiKey has no knowledge of the current time (no internal battery), so it needs Yubico Authenticator (app) to calculate the code.

Author:  Mathieulh [ Wed Dec 07, 2016 2:27 pm ]
Post subject:  Re: Confused beginner

ChrisHalos wrote:
Not sure I understand your question. The purpose of using the YubiKey is that the secret used to generate the TOTP codes remains stored on the secure element (rather than on your hard drive). To actually generate the code, the YubiKey has no knowledge of the current time (no internal battery), so it needs Yubico Authenticator (app) to calculate the code.


Is the secret sent to the Yubikey Authenticator app to calculate the final code/token or is the time sent to the Yubikey to perform the calculation?
If the former, then it is a very important design flaw/vulnerability as it would allow someone to steal the secrets stored on the Yubikey secure element as they are sent to the Yubikey Authenticator app by monitoring the USB and/or the NFC traffic, this could be further automated by a hidden daemon running on the target's phone/computer.

Can you share more details the full process through which the token/codes get generated?

Author:  dain [ Thu Dec 08, 2016 5:19 pm ]
Post subject:  Re: Confused beginner

You can find the full specification of the protocol here: https://developers.yubico.com/ykneo-oath/Protocol.html

Once loaded onto a YubiKey the secret never leaves it.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/