3. One time password - OTP

The YubiKey 5 Series OTP application supports four protocols:

The configuration required to achieve CSPN-approved mode is described in the sections below.

3.1 Yubico OTP

3.1.1. Feature summary

The Yubico OTP scheme is a proprietary algorithm based on symmetric AES encryption. To generate a Yubico OTP, the following parameters must be set:

  • Public ID (1-16 bytes modhex)
  • Private ID (6 bytes hexadecimal)
  • Secret Key (16 bytes)

The Public ID generally represents the serial number of the YubiKey, but may be set to a different value. The Private ID is an optional secret field that may be included as an input parameter to the OTP generation algorithm. By default, when this parameter is not configured, its value is set to zero. The Secret Key is an AES-128 key which must be shared between the YubiKey 5 and the verification server by the user, during the configuration of the protocol’s credentials.

The touch sensor is always used when generating a Yubico OTP, and is considered part of the standard operating procedure.

For more information about Yubico OTP, see Yubico’s website.

3.1.2. CSPN Approved mode

To operate the YubiKey 5 application Yubico OTP in a CSPN approved mode, the user must first be identified by a first factor authentication scheme (e.g. username/password). The details for such an authentication scheme go beyond the scope of this document however.

Once a Yubico OTP application has been configured, an access code must be set in order to protect the key material and configuration. More details for such a configuration are described in the section below.

3.1.3. Technical configuration

In order to protect the Yubico OTP credentials, the command line YubiKey Manager (YKMan) may be used.

The command ykman otp yubiotp should be used with the option --access-code for protecting the credentials. The --access-code parameter should be set to a six byte long hex value.

An example command line interaction for creating protected Yubico OTP credentials with YKMan is depicted in the screenshot below.

_images/2.png

Figure 2 - Example of configuring protected Yubico OTP credentials

A code is now required for any operations that require access to the Yubico OTP credentials:

  • Delete credentials: ykman otp --access-code <value> delete [1|2]
  • Change the settings: ykman otp --access-code <value> settings [OPTIONS] [1|2]

For instance, it is not possible to now delete the Yubico OTP credentials without providing the correct access code. The screenshot below is another example of how to use the YkMan command line for deleting protected Yubico OTP credentials. The first attempt fails because no --access-code is provided, but the second attempt succeeds when the flag --access-code is set.

_images/ex-del-prot-yotp-creds.png

Figure 3 - Example of deleting protected Yubico OTP credentials

3.2 Challenge-Response

3.2.1. Feature summary

The Challenge-Response protocol is based on the HMAC-SHA-1 algorithm. The relying party sends a challenge to the YubiKey 5, and the device then responds with a hash of that challenge. The secret key used in the HMAC-SHA-1 is pre-loaded by the user onto the YubiKey 5 during configuration. It is also possible to configure whether touching the sensor of the YubiKey 5 is required for each Challenge-Response request. The Challenge-Response protocol is used as a second factor in the authentication process.

For more information on the challenge-response YubiKey application, see Yubico’s website.

3.2.2. CSPN Approved mode

To operate the YubiKey 5 in a CSPN approved mode, the user must first be identified by a first factor authentication scheme (e.g. username/password). The details for such an authentication scheme go beyond the scope of this document however.

Furthermore, the usage of the YubiKey 5 touch sensor must be set to required when configuring the Challenge-Response application. Finally, when the Challenge-Response application is enabled on the YubiKey 5, an access code must be set in order to protect both the secret key and configuration. More details for such a configuration is described in the section below.

3.2.3. Technical configuration

In order to protect the Challenge-Response credentials and enforce the touch sensor, the command line YubiKey Manager (YKMan) may be used.

The command ykman otp chalresp should be used with the option --access-code for protecting the credentials and --touch for requesting proof of user presence. The --access-code parameter should be set to a six byte long hex value.

An example command line interaction for creating protected Challenge-Response credentials requiring touch with YKMan is depicted in the screenshot below.

_images/ex-conf-prot-ch-resp-creds.png

Figure 4 - Example of configuring protected Challenge-Response credentials with touch sensor

A code is now required for any operations that require access to the Challenge-Response credentials:

  • Delete credentials: ykman otp --access-code <value> delete [1|2]
  • Change the settings: ykman otp --access-code <value> settings [OPTIONS] [1|2]

For instance, it is not possible to now delete the Challenge-Response credentials without providing the access code. The screenshot below is an example of how to use the YKMan command for deleting protected Challenge-Response credentials. The first attempt fails because no --access-code is provided, but the second attempt succeeds when the flag --access-code is set.

_images/ex-del-prot-ch-resp-creds.png

Figure 5 - Example of deleting protected Challenge-Response credentials

3.3. Static password

3.3.1. Feature summary

The static password application allows for the storage of a complete or partial static password. The password will be replayed in the clear once the user touches the YubiKey 5 sensor. The static password is used as a second factor in the authentication process.

For more information on YubiKey application for static passwords, see Yubico’s website.

3.3.2. CSPN Approved mode

To operate the YubiKey 5 in a CSPN approved mode, the user must only store one portion of the password within the YubiKey 5 and keep the remaining portion of the password in a different, but also secure location. The user should then reconstruct the complete password by combining the portion from the YubiKey with the other portion stored elsewhere, and then authenticate in conjunction with their username. The overall details for such a password splitting scheme go beyond the scope of this document however, as only the portion of the password to be stored within the YubiKey 5 is described.

The touch sensor is always used when displaying a portion of a static password, and is considered part of the standard operating procedure.

When the static password application is configured, an access code must be set in order to protect both the static password and configuration. More details for such a configuration are described in the section below.

3.3.3. Technical configuration

In order to protect the static password, the command line YubiKey Manager (YkMan) may be used.

The command ykman otp static, should be used with the option --access-code for protecting the static password. The --access-code parameter should be set to a six byte long hex value.

An example command line interaction for creating a protected static password with YkMan is depicted in the screenshot below.

_images/ex-conf-prot-static-pword.png

Figure 6 - Example of configuring a protected static password

A code is now required for any operations that require access to the static password:

  • Delete static password: ykman otp --access-code <value> delete [1|2]
  • Change the settings: ykman otp --access-code <value> settings [OPTIONS] [1|2]

For instance, it is not possible to now change the static password settings without providing the access code.

The screenshot below is an example of how to use the YkMan command line for changing the settings of a protected static password. The first attempt fails because no --access-code is provided, but the second attempt succeeds when the flag --access-code is set.

_images/ex-changing-prot-stat-pword.png

Figure 7 - Example of changing a protected static password

3.4. OATH-HOTP

3.4.1. Feature summary

The OATH-HOTP protocol is implemented according to RFC 4226, i.e. “An HMAC-Based One-Time Password Algorithm”, [RD5]. The algorithm underpinning this application on the YubiKey 5 is HMAC-SHA-1. The user may choose the length of the OTP (either 6 or 8 digits) and the initial counter value. The OATH-HOTP protocol is used as a second factor in the authentication process.

The touch sensor is always used when generating the OATH-HOTP, and is considered part of the standard operating procedure.

For more information on the YubiKey application OATH-HOTP see Yubico’s website.

3.4.2. CSPN Approved mode

To operate the YubiKey 5 in a CSPN approved mode, the user must first be identified by a first factor authentication scheme (e.g. username/password). The details for such a first factor authentication scheme go beyond the scope of this document however.

When the OATH-HOTP application is enabled on the YubiKey 5, an access code must be set to protect the initial counter value and configuration. More details for such a configuration are described in the section below.

3.4.3. Technical configuration

In order to protect the OATH-HOTP credentials, the command line YubiKey Manager (YkMan) may be used.

The command ykman otp hotp should be used with the option --access-code for protecting the OATH-HOTP credentials. The --access-code parameter should be set to a six byte long hex value.

An example command line interaction for creating a protected OATH-HOTP with YKMan is depicted in the screenshot below.

_images/ex-conf-oath-hotp-creds.png

Figure 8 - Example of configuring protected OATH-HOTP credentials

A code is now required for any operations that require access to the OATH-HOTP credentials:

  • Delete credentials: ykman otp --access-code <value> delete [1|2]
  • Change the settings: ykman otp --access-code <value> settings [OPTIONS] [1|2]

For instance, it is not possible to now delete the OATH-HOTP credentials without providing the access code.

The screenshot below is an example of how to use the YkMan command line for deleting protected OATH-HOTP credentials. The first attempt fails because no --access-code is provided, but the second attempt succeeds when the flag –access-code is set.

_images/ex-del-prot-oath-hotp-creds.png

Figure 9 - Example of deleting protected OATH-HOTP credentials


To get in touch with Yubico Support, click here.