Yubico Forum

I have a Yubico Standard Key that my company has setup for VPN access using OTP.

I recently got a Yubico NEO to use with Google. I'm starting with looking to replace my existing Standard Yubico with the NEO. I've received the Yubico OTP parameters my original standard key was programmed with and I've duplicated that onto the Neo ... but it fails to work with the VPN.

So we have a Yubico OTP Test web site at our company. The original Standard Yubico USB key I have says it verified fine. The NEO which is supposedly programmed with the same configuration details fails.

If the two keys are (supposedly) using identical configuration parameters for OTP, should the NEO both verify on the OTP test side as well as work in our VPN ?

If there anything else related to the NEO that would cause it to fail even though its programmed like my Standard Key ?

Counters will fail if you use two keys at the same time, please read how the Yubico OTP protocol works here:
https://www.yubico.com/wp-content/uploa ... l-v3.3.pdf

You can find an implementation of Yubico OTP generation in this repository:
https://github.com/Yubico/yubico-c

Ahhh thank you for the reference. Thinking this is specifically what you are referring to:

The non-volatile counter is compared with the previously received
value. If lower than or equal to the stored value, the received OTP is
rejected as a replay.

That is likely exactly what is happening.

So what should be done to my account in this case ? Does the account get "reset" somehow to reset the server's expectation of my counter value ?

Use one Yubikey, and submit OTP until the counter is synced again

stop using the other key

I believe you can also set the moving factor seed (if you happen to know approximately what the counter it in your other yubikey) in the yubikey personalization tool if you don't want to manually press the OTP button a crazy number of times.