.. yk5-apps-otp.rst

.. _otp-label:

===
OTP
===

For an overview of the OTP features that became available with the 5.7.x firmware, see :ref:`5.7-fw-specs`.

The OTP application provides two programmable slots, each of which can hold one of the types of credentials listed below. A Yubico OTP credential is programmed to slot 1 during manufacturing. Output is sent as a series of keystrokes from a virtual keyboard.

* Trigger the YubiKey to produce the credential in the first slot by briefly touching the metal contact of the YubiKey.
* If a credential has been programmed to the second slot, trigger the YubiKey to produce it by touching the contact for 3 seconds.


Yubico OTP
----------

`Yubico OTP <https://developers.yubico.com/OTP/>`_ is a strong authentication mechanism that is supported by the YubiKey 5 Series. Yubico OTP can be used as the second factor in a two-factor authentication (2FA) scheme or on its own, providing single-factor authentication.

The OTP generated by the YubiKey has two parts, with the first 12 characters being the public identity which a validation server can link to a user, while the remaining 32 characters are the unique passcode that is changed each time an OTP is generated.

The character representation of the Yubico OTP is designed to handle a variety of keyboard layouts. It is crucial that the same code is generated if a YubiKey is inserted into a German computer with a QWERTZ layout, a French one with an AZERTY layout, or a US one with a QWERTY layout. The Modified Hexadecimal (Modhex) coding, was invented by Yubico to use only specific characters to ensure that the YubiKey works with the maximum number of keyboard layouts. USB keyboards send their keystrokes through “scan codes” rather than actual characters. The device, where the YubiKey is connected, translates the scan codes into keystrokes.


Static Password
---------------

A static password can be programmed to the YubiKey so that it will type the password for you when you touch the metal contact.

For managing multiple passwords, see the `password managers <https://www.yubico.com/works-with-yubikey/catalog/>`_ that the YubiKey can secure with two-factor authentication (2FA).


HMAC-SHA1 Challenge-Response
----------------------------

This type of credential is most often used for offline authentication, as it does not require contacting a server for validation.

An HMAC-SHA1 Challenge-Response credential enables software to send a challenge to the YubiKey and verify that an expected, predetermined response is returned. This credential can also be set to require a touch on the metal contact before the response is sent to the requesting software. This type of credential must be activated by the software sending the challenge; it cannot be activated by touching the metal contact on the YubiKey.

.. Note:: Developers: Because the Challenge-Response function requires two-way communication with the YubiKey, using this feature on iOS requires the `Yubico iOS SDK <https://github.com/Yubico/yubikit-ios>`_.

----