4. OATH

4.1. Feature summary

The OATH application allows for managing two types of OTP over the CCID interface:

  • HMAC-Based One Time Password (HOTP)
  • Time-Based One Time Password (TOTP)

A maximum of 32 credentials [1] can be stored within the YubiKey’s OATH application. The software tool Yubico Authenticator may be used to configure and use this application.

A password may also be set to protect the OATH credentials, and if this is configured, the password will be required to unlock the application, which can then be used to generate any number of OTPs for the remainder of the session (i.e. until application is deselected).

During the enrollment of credentials, it is also possible to configure whether touching the sensor of the YubiKey 5 is required for each OTP generation.

4.2. CSPN Approved mode

The OATH-HOTP/TOTP protocol is used as a second factor in the authentication process. To operate the YubiKey 5 in a CSPN approved mode, the user must first be identified by a first factor authentication scheme (e.g. username/password). The details for such a first factor authentication scheme go beyond the scope of this document however.

When the OATH-HOTP/TOTP application is enabled on the YubiKey 5, a password can also be set to protect the OATH credentials. More details for such a configuration are described in the section below.

4.3. Technical configuration

In order to protect the OATH-HOTP/TOTP credentials with a password, the Yubico Authenticator should be installed and used for the configuration.

In order to set the password, launch the Yubico Authenticator application, select File from the menu and finally the option Set Password. In the dialog box that appears, enter a new password and confirm it. This configuration will protect all OATH-HOTP/TOTP credentials with the same nominated password.

_images/10.png

Figure 10 - Example of protecting the OATH-HOTP/TOTP credentials with a password

When Yubico Authenticator is used for generating an OATH one-time password, the user must enter the password each time in order to unlock the credentials.

_images/11.png

Figure 11 - Example of unlocking the OATH-HOTP/TOTP credentials

Footnotes

[1]A credential is a configuration of the OTP linked to a unique key.

To get in touch with Yubico Support, click here.