Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:33 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 22 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: Reusing OTP passwords
PostPosted: Fri Feb 06, 2009 12:53 am 
Offline

Joined: Fri Feb 06, 2009 12:45 am
Posts: 5
Hello!

I just received a Yubikey and I have been playing with it on MashedLife and the api server. I am able to reuse one-time-passwords by cycling through a unique OTPs. Maybe I am missing something so I am hoping someone can help me out.

Here is what I did:

1) Open a text editor

Press the button on the Yubikey two times to get two OTPs.

2) Goto these URLS:

http://api.yubico.com/wsapi/verify?id=16&otp=<PASTE OTP1 HERE>
http://api.yubico.com/wsapi/verify?id=16&otp=<PASTE OTP2 HERE>

3) That should have used both the OTPs. Now do it again:

http://api.yubico.com/wsapi/verify?id=16&otp=<PASTE OTP1 HERE>

This returns status OK.

http://api.yubico.com/wsapi/verify?id=16&otp=<PASTE OTP2 HERE>

This returns status OK.


As long as I dont use the same OTP twice in a row, I can just cycle between the two and I always get a response code of "OK". Is this the expected behaviour or is something broke? I confirmed this by logging into MashedLife by rotating through the passwords.

Thanks!
Ryan


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Feb 06, 2009 2:29 am 
Offline

Joined: Sun Jan 11, 2009 4:40 am
Posts: 41
FYI

Tried the same thing, got the same result.

Dick


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 06, 2009 3:15 am 
Offline

Joined: Fri Feb 06, 2009 12:45 am
Posts: 5
Yeah, this is pretty disconcerting. I've been able to use an OTP replay attack on a few sites now (as long as I get two OTPs). This makes sense because the API is returning the OK status.

I've emailed Yubico and hopefully once its daylight in Sweden we will get a response. If I get time Ill take a peak at the auth-server code and see if I notice anything.

My understanding was that the OTP had a timestamp in it and the auth-server kept track of the last valid timestamp and would not allow anything to be used before that time.

-Ryan


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 06, 2009 10:49 am 
Offline

Joined: Wed Jun 18, 2008 6:51 pm
Posts: 19
The OTP does indeed have a timestamp in it as well as a use count, but it is up to the server whether to make use of these to detect replays. Sounds like the servers you tried do not.


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 06, 2009 4:23 pm 
Offline

Joined: Fri Feb 06, 2009 12:45 am
Posts: 5
I tried the API server run by Yubico. Without checking the timestamp and use count this isnt really OTP. I should be able to paste 2+ of my *used* OTPs to this forum without fear but I cannot.... you would be able to access my MashedLife and Forum account. Sure I can and should use a pin, but that is beside the point. I will setup my own Auth server, but I would hope that Yubico will change the settings on their public server because a lot of services use it.

Ryan


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 06, 2009 11:34 pm 
Offline

Joined: Mon Feb 02, 2009 4:12 pm
Posts: 9
Wow, this is really bad. No word from Yubico?


Top
 Profile  
Reply with quote  
PostPosted: Sat Feb 07, 2009 1:02 am 
Offline
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
Oh-la-la... I believe we got an issue here...

We'll check it out immediately.

Regards,

Jakob E
Hardware- and firmware guy @ Yubico


Top
 Profile  
Reply with quote  
PostPosted: Sat Feb 07, 2009 6:41 am 
Offline

Joined: Fri Feb 06, 2009 12:45 am
Posts: 5
Any word on this issue? Do you guys have a formal test/QA process? Do you run the latest opensourced version of the server?

The company I work for is trying to find good solutions for 2 factor authentication and I recommended we try Yubikeys. We will run our own authentication server, but it is still important to us that Yubico act responsibly and securely. It would be a shame to ask our customers to use Yubikeys only to see Yubico have major issues or go out of business. I understand the occasional bug, but this is fairly significant issue and it does not seem to be high-priority.

I understand that Yubico is a startup, but these are the questions my management will be asking me and I need to be able to justify our use of yubikeys.

Thanks
Ryan


Top
 Profile  
Reply with quote  
PostPosted: Sat Feb 07, 2009 7:27 am 
Offline

Joined: Sun Jan 11, 2009 4:40 am
Posts: 41
By my calculations, it was the middle of the night in Sweden when JakobE posted his message in this thread. I'd be very surprised if we don't see a prompt response.

Dick


Top
 Profile  
Reply with quote  
PostPosted: Sat Feb 07, 2009 9:00 am 
Offline

Joined: Sat Feb 07, 2009 8:54 am
Posts: 1
ryan wrote:
Any word on this issue? Do you guys have a formal test/QA process? Do you run the latest opensourced version of the server?

.........

I understand that Yubico is a startup, but these are the questions my management will be asking me and I need to be able to justify our use of yubikeys.

Thanks
Ryan


Guys, be patient! This is the nature of open source and start-ups. Especially in Yubico everyone is working part-time (I met them in the Identity conference). Staff seems to be in India as I just found (http://www.networkmarvels.com/contact.html).

Everyone is doing their best with their part-time effort. But just like MySQL, it takes time to mature.

Good job


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 22 posts ]  Go to page 1, 2, 3  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group