Q: What happens if a user randomly presses the Yubico button when the cursor is not on the password field? How can you keep the client and the authentication service in "sync" without an accurate time stamp?
A: A: If a user presses the Yubikey button, an OTP is always generated. The yubikey has a counter that is incremented monotonously on every powerup,so the server could notice that an OTP was missing. However, since our algorithm is not time-based, there is no need for any expensive server-side synchronization process when this happens.
|