Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:41 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Tue Mar 14, 2017 11:00 pm 
Offline

Joined: Tue Mar 14, 2017 10:14 pm
Posts: 1
Hi,

Before I set up my new Yubikey NEO I would like to figure out how to create a duplicate / backup Yubikey. I understand that U2F logins cannot be duplicated, so for those webpages I will need to add both of the Yubikeys separately.

However, for OATH-TOTP would it be possible to store the same secret (i.e., QR code provided by the webpage) on two different Yubikeys using two different Yubi Authenticators?

The steps would be:
  1. Have webpage generate QR code.
  2. Scan QR code on device A with Yubi Authenticator and touch Yubikey 1 to the NFC antenna to store the secret.
  3. Scan QR code again, this time on device B with a different Yubi Authenticator and touch Yubikey 2 to the NFC antenna to store the secret.

Shouldn't both Yubikeys now generate the same OTPs, regardless which Yubi Authenticator is used?

Thanks,
Marek


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Mar 15, 2017 5:13 am 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
Yes, with OATH-TOTP (since it's time-based) you can store the same secret on multiple YubiKeys. It doesn't matter which instance of Yubico Authenticator you use. Yubico Authenticator provides the current time to the YubiKey, which in turn provides the current time-based code for all TOTPs stored on that YubiKey.


Top
 Profile  
Reply with quote  
PostPosted: Wed Mar 15, 2017 9:34 am 
Offline

Joined: Wed Mar 15, 2017 9:15 am
Posts: 9
Yes, that works just as it does with multiple software TOTP authenticators. Both the secret and the state information (time) are known outside the hardware key, and the secret can be installed multiple times. At least provided that you did not forget to save it or initialise all devices at once - many sites do only show a 2D graphic representation during the initialisation process, to discourage careless key management. So you may have to make a screen copy or convert the 2D code to text for storage and internal distribution.

U2F is unique to each hardware key, but all sites I've come across support (and suggest) adding at least one backup key.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group