| Yubico Forum https://forum.yubico.com/ |
|
| What if an unauthorized person takes my YubiKey... https://forum.yubico.com/viewtopic.php?f=4&t=41 |
Page 1 of 1 |
| Author: | hrag [ Wed May 14, 2008 7:31 pm ] |
| Post subject: | What if an unauthorized person takes my YubiKey... |
Q: What if an unauthorized person takes my YubiKey when I'm not looking and uses it then returns it? Does this mean that they have access until I log in again? How do I prevent something like that? A: The first countermeasure is to use a two-factor approach, i.e. combining the token with a PIN or a password. If there is a store-replay concern as you mention above, a good countermeasure is to ask for the user to supply an OTP more than one time during a session. The token has a second timer and the validating application can use this counter to calculate the delta between two OTPs during one session. Consider a service where the user uses the token to log in. After a "make a payment" request, the server asks for a second confirmation OTP. The server will then measure the token's reported delta vs. the expected. If they match, the transaction is committed. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|