Yubico Forum https://forum.yubico.com/ |
|
One time passwords, TOTP? https://forum.yubico.com/viewtopic.php?f=26&t=1614 |
Page 1 of 1 |
Author: | darklajid [ Thu Nov 20, 2014 6:29 pm ] |
Post subject: | One time passwords, TOTP? |
Hey. So, I own a couple yubikeys, but only one NEO. Started playing around with that one today and managed to upload some gpg keys, set up ssh authentication using the authentication key and just migrated my Google TFA details to the OATH applet/the yubico authenticator app on Android (or _off_ Android?). Great stuff. Now I want more.. TOTP seems to be the nicest option (see below for my reasoning). Question time! - TOTP seems to be supported by the ykneo-oath applet. Is that true or is that applet basically offering challenge/response and the yubico authenticator 'cheats'/provides the time (as in [1])? - How many secrets can that applet store? If I want lastpass, fastmail, google, random servers of mine .. what's the limit? Tried only one so far, but the limitations would be great to know and define how useful that'd be for my uses. - Is there a way to expose that otp somehow, with a console app? I'm trying to figure out if I can use 'standard' totp services, store the secret on the yubikey and have a portable 'give me the totp for service "foo"'. Basically the yubico authenticator, but the (Linux) laptop version when I don't have the phone in reach/the battery's dead/I'd like to copy and paste instead of reading off my mobile's screen? Thanks a lot for your help/input, Ben A bit of history/rationale: Previously I wasn't using it (the NEO, or the previous Yubikeys) for lots of services, because - OATH was limited to HOTP (vs. TOTP). Requiring a counter doesn't work if you want to access multiple machines/services - you can't keep it in sync. The token itself doesn't support TOTP and the only workaround was something like [1] - Challenge/Response doesn't work without explicit protocol support (I cannot use that with my mail client for example) - Yubico OTP is no option - that doesn't work for filtered internet access/intranet services/offline stuff. I tried running my own validation server in the past, but that was quite a challenge. - I never understood the 'static password' feature, to be honest.. 1: https://www.yubico.com/applications/int ... ces/gmail/ |
Author: | Tom [ Fri Nov 21, 2014 11:45 am ] |
Post subject: | Re: One time passwords, TOTP? |
darklajid wrote: TOTP seems to be the nicest option (see below for my reasoning). Question time! - TOTP seems to be supported by the ykneo-oath applet. Is that true or is that applet basically offering challenge/response and the yubico authenticator 'cheats'/provides the time (as in [1])? No, it is a real OATH applet. Check https://github.com/Yubico/ykneo-oath and read documentation darklajid wrote: - How many secrets can that applet store? If I want lastpass, fastmail, google, random servers of mine .. what's the limit? Tried only one so far, but the limitations would be great to know and define how useful that'd be for my uses. You can have many, I have 50 and there is plenty of space left. darklajid wrote: - Is there a way to expose that otp somehow, with a console app? I'm trying to figure out if I can use 'standard' totp services, store the secret on the yubikey and have a portable 'give me the totp for service "foo"'. Basically the yubico authenticator, but the (Linux) laptop version when I don't have the phone in reach/the battery's dead/I'd like to copy and paste instead of reading off my mobile's screen? check out the yubico authenticator desktop version of the command line client https://github.com/Yubico/ykneo-oath/bl ... /client.pl |
Author: | darklajid [ Fri Nov 21, 2014 12:05 pm ] |
Post subject: | Re: One time passwords, TOTP? |
Tom wrote: darklajid wrote: TOTP seems to be the nicest option (see below for my reasoning). Question time! - TOTP seems to be supported by the ykneo-oath applet. Is that true or is that applet basically offering challenge/response and the yubico authenticator 'cheats'/provides the time (as in [1])? No, it is a real OATH applet. Check https://github.com/Yubico/ykneo-oath and read documentation Oh. I think I was phrasing my question in a crappy way. Looking at the client.pl now it seems that I was correct with my assumption (needs input/the current time for TOTP, which makes sense: It has no battery or state as far as I'm aware), I was just bad at describing them. Tom wrote: darklajid wrote: - How many secrets can that applet store? If I want lastpass, fastmail, google, random servers of mine .. what's the limit? Tried only one so far, but the limitations would be great to know and define how useful that'd be for my uses. You can have many, I have 50 and there is plenty of space left. That's amazing. And this isn't something entirely new, right? neo vs. neo-n are roughly comparable here (I assume you use the latest and greatest, looking at neo-n tokens)? Tom wrote: darklajid wrote: - Is there a way to expose that otp somehow, with a console app? I'm trying to figure out if I can use 'standard' totp services, store the secret on the yubikey and have a portable 'give me the totp for service "foo"'. Basically the yubico authenticator, but the (Linux) laptop version when I don't have the phone in reach/the battery's dead/I'd like to copy and paste instead of reading off my mobile's screen? check out the yubico authenticator desktop version of the command line client https://github.com/Yubico/ykneo-oath/bl ... /client.pl This made my day. Sorry that I missed it earlier, I should have noticed that before. That is _amazing_. Thanks a lot for your time. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |