The OTP application on the YubiKey contains two configurable slots: the "long press" slot and the "short press" slot. Each slot may be programmed with one of the following configurations:
- Yubico OTP
- Initiative for Open Authentication HMAC-based OTP (OATH HOTP)
- Static password
- Challenge-response (using the HMAC-SHA1 or Yubico OTP algorithms)
The slots are activated during authentication. Activation results in the generation and/or submission of a password or challenge-response code from the YubiKey to the authenticating party through the use of a virtual keyboard (Yubico OTP, OATH HOTP, static password) or an API call (challenge-response). Only one slot may be activated at a time.
Slots configured with a Yubico OTP, OATH HOTP, or static password are activated by touching the YubiKey. The duration of touch determines which slot is used. The first slot (ShortPress slot) is activated when the YubiKey is touched for 1 - 2.5 seconds. The second slot (LongPress slot) is activated when the YubiKey is touched for 3 - 5 seconds.
Challenge-response authentication is automatically initiated via an API call. However, challenge-response configurations can be programmed to require a user to touch the YubiKey in order to validate user presence. In this case, the cryptographic operation will be blocked until the YubiKey is touched (the duration of touch does not matter). If touch is not required, the cryptographic operation will proceed automatically.
NFC-compatible YubiKeys also contain an NDEF tag that can be configured to point to one of the slots. When the YubiKey is scanned by an NFC reader, the slot that is pointed to by the NDEF tag will activate, causing the generation of an OTP.
NDEF tags only work with Yubico OTPs and OATH HOTPs.
The OTP application slots have the following properties:
- Each slot may only be programmed with one configuration.
- Only one slot may be activated at a time.
- Slots can be pointed to by an NDEF tag.
- No data is shared between slots.
- Slots can be protected from reconfiguration with an access code.
- Slot configurations can be deleted.
- Slot states can be retrieved.
- Slot configurations can be swapped.
- Slot settings that aren't related to encryption can be updated without performing complete slot reconfiguration.