Yubico Forum
https://forum.yubico.com/

What if an unauthorized person takes my YubiKey...
https://forum.yubico.com/viewtopic.php?f=4&t=41
Page 1 of 1

Author:  hrag [ Wed May 14, 2008 7:31 pm ]
Post subject:  What if an unauthorized person takes my YubiKey...

Q: What if an unauthorized person takes my YubiKey when I'm not looking and uses it then returns it? Does this mean that they have access until I log in again? How do I prevent something like that?

A: The first countermeasure is to use a two-factor approach, i.e. combining the token with a PIN or a password.

If there is a store-replay concern as you mention above, a good countermeasure is to ask for the user to supply an OTP more than one time during a session. The token has a second timer and the validating application can use this counter to calculate the delta between two OTPs during one session. Consider a service where the user uses the token to log in. After a "make a payment" request, the server asks for a second confirmation OTP. The server will then measure the token's reported delta vs. the expected. If they match, the transaction is committed.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/