Yubico Forum

I just programmed my YubiKey VIP using the YubiTOTP tool in Slot 2. Prior to running the YubiTOTP utility, I cleared slot 2. It was previously configured with a YubiOTP key and protected with a configuration access code. I am pretty sure I cleared the access code (reset to all zeros) prior to running the YubiTOTP utility, but I am not sure.

The YubiKey works great with the YubiTOTP scheme; however, I wanted to ensure the slot configuration was protected. Using the personalization tool, I attempted to protect Slot 2 with an access code. Unfortunately, the YuibKey will accept neither my "old" access code, nor an all zeros access code. I am left to surmise that the YubiTOTP utility protected the slot with an access code that is not shown to the user.

1) What is the slot configuration protection status of a YubiKey configured by the YubiTOTP utility?

2) If there was an access code implemented, what is it or how to I find out what it is?

3) If the slot was protected by the YubiTOTP utility and I don't know the access code, will I be able to re-configure that slot in the future?

In an unrelated sidebar question, I would like to satisfy some newb curiosity:

4) Why do some TOTP implementations require an "assist" from the YubiTOTP utility, but the Symantec VIP service does not? From what I can tell it also generates timed OTPs via mobile apps, but the YubiKey VIP works fine with having a clock.

Hello DarkWinter,
I have bad news for you



There is not such a thing. The YubiTOTP app does not configure any protection access code. See screenshot below.



No code



A Yubikey that was protected with an access code cannot be reconfigured without the right code. There is no way around that unfortunately.



There are different algorithm that can be used for authentication. The one used from the VIP does not use a time variant like TOTP does. That is why you do not need an extra app. Since there is no battery in the Yubikey time is provided by the OS in the TOTP version.

Hope this helps.

_________________
-Tom

Tom, thanks for the response. I did some more tinkering and here's what I discovered.

Methodically, I attempted to unprotect and protect slot 2 using the Personalization Tool. I did this using my original access code and all zeros. Each time I received an error. I figured this meant I would be unable to delete the configuration in slot 2 due to not having the correct access code.

I attempted to delete the configuration in slot 2 and was successful, despite not providing any access code. Odd?

I programmed slot 2 with a quick static password, just to test things out. I was able to successfully apply an access code to slot 2. So I have complete control over my YubiKey, which is nice.

I removed the access code and re-programmed slot 2 using the YubiTOTP utility. Again, I am not able to implement an access code.

The conclusion is that the YubiTOTP utility renders that particular slot unable to use a slot configuration access code. Is this a bug or how it was designed?

Hello,

I have double checked just to be sure.


I configured slot 2 with a password and an access code.

I tried to configure slot 2 from the TOTP app. (error: already configured)

I deleted configuration in slot 2 providing my access code (thus the code and the configuration are now removed)

I configured slot 2 with TOTP app. ( success )

I reconfigured slot 2 with a password and set a new access code. (works)


This is the expected behavior. As i said earlier the TOTP app does not configure any access code.

-Tom.

_________________
-Tom