Yubico Forum

Hello all,

we are testing Yubiekey OTP for web-based authentication using apache and the module authn_otp_module. Now one of the test keys is out of sync with the server. Is there any way of reading the current counter value off the key so that the counter value on the server can be adjusted? What is the best practice if one of the user keys gets out-of-sync (which will surely happen)?

regards

yeah that's one of the greatest issues with HOTP and a reason I dont like it...
in any case I would love it if HOTP would include the counter in the first place that way there's no desync, well that is essentially done by U2F and YubiOTP, but YubiOTP is essentially sharing secrets with a 3rd Party so U2F is better even if it's annoying as hell to completely integrated it into your system compared to yubiOTP (self-experience)

to answer your topic I dont know of any way of getting the counter out. might be a future improvement.

That's what I feared, thanks. But does that mean that the only options I have to remedy this is:

• Set the allowed counter offset ridiculously high (defeating security gains)
• Try random counter values on the server until server and key are in sync again (which might take forever)
• Reprogram the key (which is fast but still undesired)

This is far from practical in any productive environment that I can imagine. Surely there must be a better way ... ?

a ridiculously high counter value also takes performance away because every OTP has to be checked and a counter tolerance on +99 (so the next code and 99 more being hundred in total) means that a whole 100 OTPs have to be calculated, simply annoying. and as you said the security will not be positively afftected. also someone might lock you out, because they randomly broke one of your OTP setting the counter ABOVE yours, no fun, seriously.

if yubico authentocator wouldnt need to be installed (or you had no problem with installing stuff) you could use that to use TOTP, especialy since it is a LOT more reliable since a +-5 tolerance giving 11 codes with a time tolerance of 2:30min into both directions with less security problems. the only problem is that there is need for a manual replay check (I just store the entered codes along with the userID and a "void time" [in short "as soon as this code is out of the tolerace window"] in a db and they will be kicked off as soon as the server reached void time. For HOTP this is not needed as the counter must be set anyway to the OTP we have and tolerance must only be forward and must not be backwards.