Building a basic authenticator

The most popular use case for the OATH applications is to utilize it by building a time-based OTP authenticator app. Below are some basic steps in order to implement one.

  1. Find the connected Yubikey:
IEnumerable<IYubiKeyDevice> keys = YubiKeyDevice.FindByTransport(Transport.UsbSmartCard);

var yubiKeyToUse = keys.First();
  1. Create an OathSession object:
var oathSession = new OathSession(yubiKeyToUse);

This will connect to the OATH application on the chosen YubiKey.

  1. Get all configured credentials from the YubiKey
IList<Credential> credentials = oathSession.GetCredentials();

You would probably want to find if there any HOTP credentials and credentials that require touch to generate OTPs. This way you don't show the values for those credentials until it is requested by tapping "Generate code" button, for example.

Also, you will need to track TOTP credentials that have non-default periods, like 15 and 60 seconds.

  1. Calculate the credentials and show OTPs
IDictionary<Credential, Code> credentialCodes = oathSession.CalculateAllCredentials();

When HOTP credentials or credentials that require touch are requested, calculate them by using CalculateCredential() method:

Code otpCode = CalculateCredential(Credential);

Also, any credentials with a non-default period should be recalculated in their respective interval.

  1. Add new credentials.

The best way to add credential it is by implementing a QR code scanner and reading an URI string from the QR code.

// Pass the string that received from QR reader or manually from server. It will return credential parsed from URI string.
Credential credential = _oathSession.AddCredential(
                "otpauth://totp/ACME%20Co:test@example.com?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30");

Read more about credentials and URI strings.

  1. Remove and Rename credentials if needed.
var credentialTotp = new Credential 
{
  Issuer = "Yubico",
  AccountName = "test@yubico.com",
  Type = Totp,
  Period = 60,
  Secret = "test",
  Digits = 8
};

// Pass credential to rename as well as the new Issuer and AccountName.
oathSession.RenameCredential(credentialTotp, "Test", "example@test.com");

var credentialTotp = new Credential 
{
  Issuer = "Yubico",
  AccountName = "test@yubico.com",
  Type = Totp,
  Period = 60,
  Secret = "test",
  Digits = 8
};

// Pass credential to remove.
oathSession.RemoveCredential(credentialTotp);

Read more about OathSession methods and OathPassword implementation on the YubiKey.