Yubico Forum

Not clear on the Yubico OTP API
Page 1 of 1

Author:  techwg [ Tue Sep 26, 2017 12:38 pm ]
Post subject:  Not clear on the Yubico OTP API

I would like to add some basic Yubico OTP checking capability to an AutoIt program I would make, so that the program would only function if my yubikey is authenticated as being present. It is a scripting language that allows me to make programs without having to learn complicated programming languages.

I was experimenting with this long ago but I am clueless as to what was needed. I recall seeing some old code of mine with a hard-coded user ID of my old OTP key. I have no idea how I would get what ever my new cc built in OTP ID is or how to verify that a "successful" OTP is from my particular Yubikey and not any old Yubikey that works and was registered on the Yubico cloud.

Can someone please give me a quick readers digest of how I need to construct a get request to take input from the user, sent it to the Yubico API and get and interpret the response?


Author:  techwg [ Tue Sep 26, 2017 8:16 pm ]
Post subject:  Re: Not clear on the Yubico OTP API

Ok, I have a working new program. I am verifying that the returned otp is the same as submitted, after a while of figuring out how to discern my Yubikey from any old successful "OK" result by checking the first 12 characters I have gotten it to validate me. Once the returned OTP is correct, the nonce is the same as submitted and the result is OK etc then it validates me as successful.

What can protect from someone setting up a localhost web server and just sending out a preset good looking result which has all the "right" bogus otp, nonce? Is there some simple hashing based thing I can do to check? I am not sure about the hashing. There is some basic hashing capability in AutoIt but I do not know the protocol of what gets hashed and with what algorithm. Is it a concatenation between multiple pieces of data being hashed? then in that case which goes first etc. I think that hash that is returned has got something to do with that API key I received, that is my theory. But I do not know how to make use of it.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group