Hello,
In order to support legacy password systems, the Yubikey 2 supports user-triggered static password change. The function is designed for the specific use case of a traditional login system with a stricter password policy where the user is asked to change their password on a regular basis.
The intended use case is like the following: 1. The user is asked to update their password. 2. The user enters their secret password. The user presses the Yubikey button and the current fixed password is yielded 3. The user is asked to enter the new password. 4. The user enters their secret password. The user presses and holds the Yubikey button for 10 seconds. 5. When released, a short tap updates the internal password with a new randomized one. The new OTP is sent. 6. The user is asked to confirm the new password. 7. The user enters their secret password. The user presses the Yubikey button again and the new password is sent. 8. The user completes the password change.
As the change function has no protection against unauthorized usage, there is a danger that an unauthorized person can sabotage a user’s Yubikey by triggering this function.
Thanks and best regards, Samir.
|