Yubico Forum
https://forum.yubico.com/

OTP on NEO vs OTP on Yubico Standard Key
https://forum.yubico.com/viewtopic.php?f=26&t=1653
Page 1 of 1

Author:  riverrat [ Tue Dec 09, 2014 8:25 pm ]
Post subject:  OTP on NEO vs OTP on Yubico Standard Key

I have a Yubico Standard Key that my company has setup for VPN access using OTP.

I recently got a Yubico NEO to use with Google. I'm starting with looking to replace my existing Standard Yubico with the NEO. I've received the Yubico OTP parameters my original standard key was programmed with and I've duplicated that onto the Neo ... but it fails to work with the VPN.

So we have a Yubico OTP Test web site at our company. The original Standard Yubico USB key I have says it verified fine. The NEO which is supposedly programmed with the same configuration details fails.

If the two keys are (supposedly) using identical configuration parameters for OTP, should the NEO both verify on the OTP test side as well as work in our VPN ?

If there anything else related to the NEO that would cause it to fail even though its programmed like my Standard Key ?

Author:  Tom2 [ Wed Dec 10, 2014 10:08 am ]
Post subject:  Re: OTP on NEO vs OTP on Yubico Standard Key

Counters will fail if you use two keys at the same time, please read how the Yubico OTP protocol works here:
https://www.yubico.com/wp-content/uploa ... l-v3.3.pdf

You can find an implementation of Yubico OTP generation in this repository:
https://github.com/Yubico/yubico-c

Author:  riverrat [ Fri Dec 12, 2014 4:57 am ]
Post subject:  Re: OTP on NEO vs OTP on Yubico Standard Key

Ahhh thank you for the reference. Thinking this is specifically what you are referring to:

The non-volatile counter is compared with the previously received
value. If lower than or equal to the stored value, the received OTP is
rejected as a replay.

That is likely exactly what is happening.

So what should be done to my account in this case ? Does the account get "reset" somehow to reset the server's expectation of my counter value ?

Author:  Tom2 [ Fri Dec 12, 2014 10:39 am ]
Post subject:  Re: OTP on NEO vs OTP on Yubico Standard Key

Use one Yubikey, and submit OTP until the counter is synced again

stop using the other key

Author:  darco [ Fri Dec 12, 2014 9:00 pm ]
Post subject:  Re: OTP on NEO vs OTP on Yubico Standard Key

I believe you can also set the moving factor seed (if you happen to know approximately what the counter it in your other yubikey) in the yubikey personalization tool if you don't want to manually press the OTP button a crazy number of times.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/