Yubico Forum
https://forum.yubico.com/

How long is an OTP valid for?
https://forum.yubico.com/viewtopic.php?f=4&t=239		 Page 1 of 1
Author:  ramonsky [ Thu Jan 22, 2009 4:49 pm ]
Post subject:  How long is an OTP valid for?
Hi, I have a question.

I generated a one-time password into a text editor. Three and a half hours later, I copy/pasted into this forum's login form, and successfully logged in. Is there a time-limit before these things expire?
Author:  aff [ Thu Jan 22, 2009 7:32 pm ]
Post subject:  Re: How long is an OTP valid for?
ramonsky wrote:
Is there a time-limit before these things expire?


If I understand it correctly, no. The yubikey has no clock. However, it does have several counters, some of which are reset when you unplug it, while some are stored even when you unplug it. The counters enables the authorization server to keep track of the state of the yubikey. Once you use a OTP, you will not be able to use it again. Additionally, all previous OTPs becomes invalid. This protects against replay attacks.

http://www.yubico.com/technology/description/
http://en.wikipedia.org/wiki/Replay_attack

[edited 2009-01-23 08:45]
Author:  ramonsky [ Thu Jan 22, 2009 7:39 pm ]
Post subject:  Re: How long is an OTP valid for?
Ah, OK. That makes sense.
Thanks
Author:  olivierm [ Wed Apr 28, 2010 4:38 pm ]
Post subject:  Re: How long is an OTP valid for?
But what happens if an attacker manages to get his hands on my keys for long enough to generate a bunch of OTPs?

Like a co-worker who would take advantage of me having coffee for plugin my key on his own computer. What would prevent him from using these OTPs (without my key), except me generating AND validating a new OTP before?

I know that could be mitigated by only leaving the key plugged long enough to authenticate (and then, back in the pocket where it belongs!), but for someone who's keeping a netbook with him, it's only a matter of minutes (if not seconds) to get a bunch of perfectly valid OTPs.

Am I wrong?
Author:  akkornel [ Sat May 01, 2010 8:54 am ]
Post subject:  Re: How long is an OTP valid for?
olivierm wrote:
But what happens if an attacker manages to get his hands on my keys for long enough to generate a bunch of OTPs?

<<<snip>>>


If I understand correctly, there are three concerns here:

  1. Somebody gets to your machine while it is unlocked and the Yubikey is inserted. The user generates several OTPs, sends them to himself (email, file copy, whatever), and uses them as soon as possible (before you use another OTP). Nobody sees this happen. They do not have very much time to use the OTPs (an hour or less).
  2. Somebody gets to your Yubikey while it is left alone. The user connects the Yubikey to their computer, generates several OTPs, and uses them as soon as possible (before you use another OTP). Nobody sees this happen. They do not have very much time to use the OTPs (an hour or less).
  3. You discover someone playing with your Yubikey (either as part of #1 or #2, or for a different reason). You are not sure if they have generated some OTPs for themselves.

I think the solutions would be different.

For issue #1: On most machines, there is a screen saver which will activate automatically (after some inactivity) or manually (by pressing a button on screen, pressing a special key on the keyboard, or moving the mouse to a specific location). There is another topic, where is discussed a way (in Linux) for the screen saver to automatically activate when you remove your Yubikey from the USB port, and to display the login window when inserting the Yubikey. I think somebody should work on a Windows add-on that does the same thing.

For issue #2: There are two options:

  1. If you use software (like Rohos Login) which uses the Yubikey OTP to log in or unlock the screensaver, then as soon as you return to your computer and unlock it (or log in), the "stolen" OTPs are made useless.
  2. Have a small software program that watches in the background to see if a Yubikey is inserted. Once it is, display a window (or taskbar alert, something unobtrusive) that asks for an OTP. Once an OTP is provided, the window should disappear, and your program should send the OTP to the validation server. You are not actually using the OTP to authenticate to anything, you are just making sure that any "stolen" OTPs are made useless. As a useful feature, warn the user if you get a suspicious error (like an OTP_REPLAYED error).

For issues #1 and #2, if you configure web sites to log you out after a shorter amount of time, this will cause you to use OTPs more often, making any "stolen" OTPs invalid sooner. For example, if you use LastPass Premium (which allows you to use the Yubikey as part of the authentication), if you can configure LastPass to prompt you to log in after unlocking the screensaver, part of the log in process will require an OTP, which will be validated, making any "stolen" OTPs useless!

For issue #3: Yubikey could provide a site (example title: "OTP Check" or "Token Sync") where you provide a OTP. Yubico takes the OTP and checks it against the validation server, instantly making all of the "stolen" OTPs useless.

So, the basic concepts are...

  • Keep the Yubikey with you as much as possible.
  • If you are separated from the Yubikey, when you return, generate and use an OTP as soon as possible!
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/