Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:27 pm

All times are UTC + 1 hour

Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Wed Mar 23, 2016 4:41 pm 

Joined: Fri Mar 16, 2012 10:58 am
Posts: 5
I have a plethora of TOTP accounts, currently on my smartphone.

Unfortunately the standard Yubikey has only two slots for OATH HOTP/TOTP(*). I believe that more recent devices will store 28-32 credentials(**).

It would be great if the Yubikey could handle an unlimited number of TOTP accounts in a secure way. I believe this should be possible by two operations:

1. pass in the initial secret, encrypt it with an (internal) AES key, return the encrypted secret
2. pass in the encrypted secret plus challenge or timestamp, return the HMAC-SHA1 response

Then an unlimited number of encrypted secrets could be stored safely in host storage, or even backed up to the cloud, but not usable without the companion Yubikey.

Perhaps this is entering too close into YubiHSM territory? But if it were limited to just HMAC-SHA1 types of operations I don't think it would be usable for encryption.



(*) The document at https://www.yubico.com/wp-content/uploa ... -Setup.pdf says:
"All YubiKey hardware can support the OATH-TOTP standard authentication method ...
This method utilizes one of the two configuration slots for a single site; no more than 2 sites or services
can be supported on a single YubiKey"

... but doesn't mention that keys other than Yubikey Standard/Edge may support a different method.

(**) At https://www.yubico.com/faq/how-many-cre ... enticator/
it says "You can store up to 32 OATH credentials (TOTP or HOTP) on the YubiKey and access them using the Yubico Authenticator companion application."

From earlier context in the paragraph, I think "the YubiKey" here must be referring to the YubiKey 4.

At https://developers.yubico.com/yubioath-desktop/ it says it supports
"both slot-based credentials (compatible with any YubiKey that supports OTP) as well as the more powerful standalone OATH functionality of the YubiKey NEO"
... but makes no mention of the YubiKey 4.

This is an area of documentation which I think could do with some tidying up. Reading between the lines, I *think* that the YubiKey 4 has the same "new" OATH capabilities as the YubiKey NEO, except with 32 slots instead of 28.

Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC + 1 hour

Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group