Yubico Forum

Hi,

I started using the Yubico Authenticator for storing my passwords.
When I tried the osx version, I plugged in my yunikey and was surprised that all the otp's were already there even I added them only on my android phone.....
This leads me to a question - where are these sites/passwords I have manually added to the authenticator, stored? Are they on the usb key or somewhere on yubiko servers and just pulled? How does this works?

Thanks!

They are on the key.

The account name and secret-key/seed are stored on the key when you set them up (a counter is initialized for each HOTP account as well). When you query the key with the Yubico Authenticator, you enter the password and it sends the password and the current time to the device, which then uses the password to authenticate as well as the phone/computer current time to initialize the TOTP functionality. Then it generates all of the 6- and 8-digit TOTP/HOTP codes, one for each account/secret-key combination.

Brendan

Thanks for your explanation!
Are these codes related to any of the two slots? - would reprogramming some of the slots (I am using OTP and OATH in slots 1 and 2) cause that the codes will be deleted?
How to ensure that these codes are safe and will be not touched in any other way than from the OATH app in the phone?

Thank you!

They are not related to the two slots (usually). Yubico Authenticator generally uses the smart-card chip in the Neo, not the Yubico chip, and stores the OATH credentials away from the two older-style slot areas.

Recent versions of yubico authenticator (at least on the desktop) have added support for setting/reading the older slot-based storage of up to two HOTP/TOTP OATH credentials (named Slot 1 and Slot 2, I think). If you have been using a NEO with Yubico Authenticator to set up the credentials without setting any non-standard slot-based options, there should be no impact when configuring the slots using yubico's other tools.



Set a password in Yubico Authenticator.

Brendan