Yubico Forum

In yubikey-personalization-gui (3.1.24, linux), there's a confusing note in Help: Public Identity: Yubico OTP validation server requires Public Identity to be of 12 characters (6 bytes) in order to correctly extract the Secret Key. If you change the Public Identity to any other length, the Yubico OTP validation server won't be able to extract the Secret Key and the OTP validation will fail.

Validation server is extracting the secret key not from the OTP token, but from the data sent during the registration, which is structured, so no problem should occur here.

If "encrypted part of token" was in fact meant by "secret key", why is it a problem here, provided that the encrypted part is one block of AES-128 cipher text, i.e. fixed length (so UID would be the whole substring before the fixed encrypted data)? (In this case, the typo should be fixed an the app.)

I guess i might be wrong in some assumption, because of different legacy protocols, or so.

If you're using a Yubico validation server (or the YubiCloud, the one that the default configuration is authenticating against), the first 12 characters are the public identity (essentially a username, if you will), while the remainder of the OTP is the actual one-time password. If you were to program a 40 character OTP, for example, the YubiCloud still assumes the first 12 characters are the public identity (when in fact, in this model, only the first 8 are).

If you're standing up your own server, I believe you can program it to where shorter OTPs are used, therefore shorter public identities as well, but that's outside of our model. https://developers.yubico.com/OTP/OTPs_Explained.html