Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This looks interesting, but I don't totally understand how it works. How is the key changed every time on the server? It looks like it requires server side support.


I have a few of their basic model keys. They have implemented OATH-HOTP as well as their own OTP scheme and HMAC-SHA1 challenge-response. You can also embed a static password. The keys have two slots and both of them can be used for any of the supported schemes.

They have some fancier keys that support a 'universal 2 factor' standard which I think they may have had a hand in creating.

I've used mine in OATH-HOTP and HMAC-SHA1 along with KeePass to do two-factor on my password db. You do need a server-side or peer component to initially sync with to do OTP or challenge-response.


The new U2F protocol removes the need to have a central authentication server - the authentication process is just between the U2F device and the authenticating service. For more details, you can see: https://developers.yubico.com/U2F/


iirc they implement https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_A... (or a variant of it)

Each side has a seed value which then allows the calculation of what the current value should be.


The YubiKey does support the OATH-event based OTPs as described above, but the Yubico OTP takes advantage of the fact users do not need to type in anything to make the OTPs longer and more secure.

Each Yubico OTP has a plain text public ID as the first 12 characters of the OTP. This is used to identify the YubiKey which generated the OTP without having to perform any OTP processing. The remaining 32 characters of the OTP are an AES-128 bit encrypted hash. This hash is made of the Private ID, a string known only to the YubiKey and Authentication server, to further validate the OTP.

In addition to the Private ID, the OTP also contains counters tracking how many times the YubiKey has been power cycled (usage) and how many OTP events it has preformed since it's last power on (session). These counter values are stored in the authentication server and checked for each OTP. If the usage counter is less than the value on the server, or if the session counter is less than or equal to the value on the server, the OTP is rejected as a replay attack.

This means the YubiKey OTP will not get out of sync with the validation server, as well as adding additional randomness to the OTPs generated.


The client and the server have a shared secret that lets them generate a keystream based on the time.


I don't think the Yubikey is able to generate TOTPs, unless all it is doing is passing the secret to the computer which is then generating them.


Yubikey supports TOTP with OS driver help. Presumably the driver passes the time to the Yubikey to actually generate the TOTP.

https://www.yubico.com/products/yubikey-hardware/




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: