On Mon, May 12, 2008 at 2:19 PM, Sean O'Connor <[EMAIL PROTECTED]> wrote: > One time password simply means that each time you press the button on the > Yubikey, a new "password" is generated. All passwords generated by the > Yubikey can be authenticated and verified by the server. > > As far as how this works, without going too in-depth, the "password" > generated by the Yubikey is an encrypted string containing a device id, some > other information which can be used to authenticate the user, and some > randomness. A server then can verify that password provided is genuine by > decrypting the string and making sure the device id is associated with the > user. > > One time passwords are generally used as a second factor in multifactor > authentication system. In other words to login to a system using the > Yubikey a user will need something they know, their username and password, > as well as something they have, their Yubikey. > >
So from what I can see about the Yubikey, it has an internal clock that it uses to seed it's algorithm to generate a complex password. This is then verified against a server to authenticate, one you could run yourself if you wanted to. I plan on listening to the security now episode when I get a chance, but if I'm not mistaken this is only going to let me log into a service that is expecting to verify my identity against whatever server decrypts Yubikey's output. Meaning, I could potentially make getting into my wiki a more secure procedure, but it's no good for logging into my bank. Is this correct? -- John D. Mort http://john.mort.net _______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) MHVLS Auditorium Jun 4 - Sqeak! and eToys Jul 2 - KVM (Tenative) Aug 6 - Zenos Sep 3 - TBD
