Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:40 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: Backing Up Yubikey OTP?
PostPosted: Wed Jun 17, 2015 2:34 am 
Offline

Joined: Wed Jun 17, 2015 2:25 am
Posts: 2
Hey,

I've been poking around looking for how to back up the Yubikey. Most of what I've read stated that you basically cannot backup the OTP portion of it. Seeing as I have a paranoia of setting strong security then breaking or losing the device, I'm looking for a way to accomplish this. I similarly would like a means that does not involve having multiple Yubikey, as presumably an incident or defect could cause multiple of them to go bad at the same time.

My question is this: In the personalization tool, could I not initially generate my own Secret Key value, write it down and save that value in a safe? This way, if I have an issue with my Yubkey, I could get a new one, retrieve the the secret key from my safe, and re-enter the same information into the new key? That way, I now have two mediums upon which this security information is based and is less likely that both will have difficulties at the same time.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Jun 22, 2015 10:18 am 
Offline

Joined: Thu Apr 24, 2014 2:40 pm
Posts: 31
Location: The Hague, Netherlands
Well - actually you can generate your own key with the yubikey personalization tool and upload it on the yubico servers, of course you can back up the generated secrets & identities.
However there is one caveat: the yubikey also implements 2 counters in the OTP (insertion & timer counter) in order to foil replay attacks.
And these counters (to the best of my knowledge) cannot be set in said personalization tool nor on the yubico servers.
As a consequence if you implement the backup on another key in case the old one is unusable the counters are reset to zero again so the new OTP start over again and will not be accepted by the server due to the anti-replay check (i.e. the old counters are used again).
This is not so much of an issue if you hardly use the yubikey as you just need to keep on generating OTP until the old counters are overtaken however in reality you will use the key quite often and therefore you may need generate hundreds if not thousands of times in order to overtake the old counters which may not be very useful.
In short it is possible to back up newly generated secrets&identities for your yubico OTP but I fear it may prove not to be very useful (I have tied this myself).
If you want a back up in case your yubikey malfunctions it would IMHO much better to use (and perhaps generate a new key) and add it to your service - when the old key is dysfunctional you would then have a fresh key you can then use.

Hope this advice provides a usefull explanation for you...

Kind regards, Erik...


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group