Yubico Forum

OTP Compromise - Is This A Vulnerability or Expected Issue?
Page 1 of 1

Author:  Guinness [ Sun Jan 24, 2016 8:00 pm ]
Post subject:  OTP Compromise - Is This A Vulnerability or Expected Issue?

I contacted support about this around 4 days ago, but have not received an answer, so I think I need to put this to the community just in case, and also to ease my mind on something that could be a perfectly mundane (but annoying, none-the-less) issue.

The problem I had was with an OTP I generated for a website I use. - I generated the key, saved the new key to one of the key configuration slots, and uploaded it (successfully) to the YubiKey servers. The test also worked, so I proceeded to use it on the website to be secured and all was good (logged-in, logged-out, closed the browser, opened the browser, logged-in again, etc.). Then, a few days later, I found that the OTP was no longer working and that my OTP had been changed - not on my key, but on the site itself. - How did this happen?

My thought is that someone guessed or knew the email address I used with the OTP, and that they generated and uploaded a key to the YubiKey server using that same email address, thereby effectively locking me out of the secured site. - Would this work? - If it would then it would explain what happened, but it would also be a major security concern because, whilst that would not immediately mean that someone could gain access to the secured site, it would still mean that they could, effectively, lock you out of a secured resource very quickly and very easily just by generating and uploading a YubiKey OTP with the same email address to the YubiKey server.

Author:  Guinness [ Tue Jan 26, 2016 12:16 am ]
Post subject:  Re: OTP Compromise - Is This A Vulnerability or Expected Iss

Well, OK, it might only be a day later, but I have also been waiting a good 5 days for "support" to answer my question, too, so I am going to post this as a way of trashing YubiKey OTP access (for example, locking Facebook employees out of their accounts). If I am wrong then perhaps admin [do we have one(?), or even support (non-existent as far as I can tell)] could actually look into this and make the effort to see if it is actually a problem with the device (YubiKey 4); otherwise maybe they could motivate themselves sufficiently to shed some light on what happened and to the clarify the situation with this issue (if nothing else, so anyone else with a similar issue might actually understand what is happening if they experience the same problem).

Author:  ChrisHalos [ Mon Feb 01, 2016 10:05 pm ]
Post subject:  Re: OTP Compromise - Is This A Vulnerability or Expected Iss

One of our support representatives responded to the same I'm assuming you're referring to (case 14428) on January 21, but unfortunately did not mark the case as "public." The comment was resent to you this morning. I'm including the original response here as well:

Are you asking if a second user could upload a Yubico OTP credential at upload.yubico.com using your e-mail address, and if so, would it overwrite the credential you uploaded previously? If so, no, you can upload an infinite number of Yubico OTP credentials and associate them with the same e-mail address. Also, if you try to upload a credential with the same public identity (first 12 characters of the OTP), you will get an error from the upload page that the credential already exists.

Have you tested the output at demo.yubico.com? This page will confirm if the credential you uploaded is actually working, and will allow you to test a Yubico OTP to confirm it is accepted by the YubiCloud.

Also, I'm confused about this part - "my OTP had been changed - not on my key, but on the site itself". The key changed on what site?

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group