Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 4:59 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Tue Jan 13, 2009 4:22 pm 
Offline
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
I've got the question several times regarding the security of a static OTP Yubikey - what if someone finds my key and logs onto my service ?

It is important to understand that the static OTP approach is a compromise and given that the code is static, it is suceptible to eavesdropping, phishing, keyloggers and such threats. However, as the code is long and awkward, it is "by that very nature" less susceptible to be "told over the phone", being written down or being remembered by someone.

The static OTP approach is designed with this security compromise in mind and the target applications are legacy- and off-line applications where dynamic codes won't work.

One simple way to add a two-factor security is to prefix the OTP string with an ordinary password:

1. Assume a static OTP Yubikey yielding the string lhrkgbdufthbhrgulhvlbfuicjgunjbrtntcbeivrkkj

2. Select a password, let's say "foobar"

3. In the enter password field, enter foobar and then emit the static OTP. The string is then foobarlhrkgbdufthbhrgulhvlbfuicjgunjbrtntcbeivrkkj


A variety of this is when it is desired to use the key for more than one service and one don't want to reuse the same password on two sites:

1. Site A has password "foobar" - the password string becomes foobarlhrkgbdufthbhrgulhvlbfuicjgunjbrtntcbeivrkkj

2. Site B has password "barfoo" - the password string becomes barfoolhrkgbdufthbhrgulhvlbfuicjgunjbrtntcbeivrkkj


Although the Yubico validation server does not support it [yet], the same scheme can be used for dynamic OTPs as well. Simply prefix the password with your PIN and you have a pretty good two factor setting.


One can of course add a bit of obfuscation by selecting a modhex-like password string :)


As a final and closing word - Please understand the strengths and limitations of the static scheme before using it. It is a compromise and in several cases a good one.


Regards,

Jakob E
Hardware- and firmware guy @ Yubico


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group