Yubico Forum
https://forum.yubico.com/

Security risks with temporary access to a Yubikey?
https://forum.yubico.com/viewtopic.php?f=35&t=2422		 Page 1 of 1
Author:  genealogyxie [ Tue Sep 13, 2016 1:09 pm ]
Post subject:  Security risks with temporary access to a Yubikey?
Could a potential attacker be able to store the output from a Yubikey that he would temporarily have in his possession and then use that output to login into a Bitlocker-protected Windows 10 machine with the Yubikey login tool?

What about storing an OTP for later use to authenticate other things like Lastpass?
Author:  ChrisHalos [ Tue Sep 13, 2016 3:43 pm ]
Post subject:  Re: Security risks with temporary access to a Yubikey?
I assume you're referring to...

HMAC-SHA1 Challenge-Response (Windows Login) - No, Challenge-Response doesn't emit any text like OTP does, and the secrets can't be read off the YubiKey.

Yubico OTP (LastPass) - Yes and no, depending on the use case. Yes, if someone gets your YubiKey and sends an OTP to to their e-mail (for example), they could use this later UNLESS you have validated again since the OTP was generated. Validating a newly generated OTP invalidates all previously generated OTP.

So basically, if you believe someone might have grabbed an OTP, just go to demo.yubico.com as soon as possible and test single-factor. Running this test will invalidate any previously generated OTPs.
Author:  genealogyxie [ Thu Sep 15, 2016 1:58 am ]
Post subject:  Re: Security risks with temporary access to a Yubikey?
Would there be a way to find out if an OTP was generated without being used yet?

I'm assuming that the OTP is only verified through a Yubico server or some central server on the Internet?
Author:  ChrisHalos [ Thu Sep 15, 2016 4:30 pm ]
Post subject:  Re: Security risks with temporary access to a Yubikey?
There is no way to determine if additional OTPs were generated between the last successful authentication
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/