![]() “ For TOTP you need an application that can read OATH codes from YubiKeys, since YubiKeys does not have an internal clock”Ī requirement for this is a special app, Yubico Authenticator, that fills the gap: the app sends the timestamp information from the system it is installed on to the Yubikey, and reads back the OTP generated by its chip. However, it is still possible to use Yubikey as a TOTP token, but not as a standalone device. Yubikey devices are passive and have no RTC chip nor a battery to power any system clock. Different from HOTP, where the counter is simply stored on the device itself and the generated OTP is simply sent via HID USB interface to the main system, TOTP requires the current time as its counter. You can configure your YubiKey so that you can use two-factor authentication to sign in to any account that requires authenticator codes, i.e. I take Yubikey only as an example, but the same “vulnerability” applies to many other FIDO2 devices that have the possibility of using them as TOTP devices. >5 hours)Īs you can see, the preconditio ns are quite hard to meet, but if the media presents this as a serious vulnerability, this makes me think of a different attack type which does not use any vulnerabilities, exists for many years, can be easily exploited with the same preconditions and is very easy to perform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |