Title: Mt. Gox - are OTPs generated by Yubikeys time-dependent? Post by: ripper234 on August 09, 2012, 01:41:22 PM If I use a Yubikey on Mt. Gox, can a trojan capture this key, and reuse it some time in the future?
Actually, if you are using a MtGox yubikey as 2FA, you are similarly not protected by keyloggers - they don't validate the whole token, they just use the first so many digits (the serial number of the key) as the second factor. >:( Unfortunately, LastPass does the same damn thing for offline access. >:( [/quote] Title: Re: Mt. Gox - are OTPs generated by Yubikeys time-dependent? Post by: rjk on August 09, 2012, 01:48:17 PM If I use a Yubikey on Mt. Gox, can a trojan capture this key, and reuse it some time in the future? You are reading my statement wrong. I was saying that specifically about blockchain.info. On MtGox, the yubikey is still a one-time password generator, although it never has been time dependent. It is not a TOTP token. Read more at http://yubico.com/Actually, if you are using a MtGox yubikey as 2FA, you are similarly not protected by keyloggers - they don't validate the whole token, they just use the first so many digits (the serial number of the key) as the second factor. >:( Unfortunately, LastPass does the same damn thing for offline access. >:( Title: Re: Mt. Gox - are OTPs generated by Yubikeys time-dependent? Post by: ripper234 on August 09, 2012, 02:03:46 PM You are reading my statement wrong. I was saying that specifically about blockchain.info. On MtGox, the yubikey is still a one-time password generator, although it never has been time dependent. It is not a TOTP token. Read more at http://yubico.com/ So, you mean that every password generated by a Yubikey can only be used once on Mt. Gox ... but that one time can be in whatever time in the future. Suppose I generate a Yubikey, and for fun just generate an OTP into notepad, to test that it works. Then, I connect to Mt. Gox, and use the Yubikey to generate another OTP. If a Trojan sniffs the first OTP, will it be able to use it later on to login? Title: Re: Mt. Gox - are OTPs generated by Yubikeys time-dependent? Post by: rjk on August 09, 2012, 02:04:55 PM You are reading my statement wrong. I was saying that specifically about blockchain.info. On MtGox, the yubikey is still a one-time password generator, although it never has been time dependent. It is not a TOTP token. Read more at http://yubico.com/ So, you mean that every password generated by a Yubikey can only be used once on Mt. Gox ... but that one time can be in whatever time in the future. Suppose I generate a Yubikey, and for fun just generate an OTP into notepad, to test that it works. Then, I connect to Mt. Gox, and use the Yubikey to generate another OTP. If a Trojan sniffs the first OTP, will it be able to use it later on to login? Title: Re: Mt. Gox - are OTPs generated by Yubikeys time-dependent? Post by: ripper234 on August 09, 2012, 02:07:33 PM You are reading my statement wrong. I was saying that specifically about blockchain.info. On MtGox, the yubikey is still a one-time password generator, although it never has been time dependent. It is not a TOTP token. Read more at http://yubico.com/ So, you mean that every password generated by a Yubikey can only be used once on Mt. Gox ... but that one time can be in whatever time in the future. Suppose I generate a Yubikey, and for fun just generate an OTP into notepad, to test that it works. Then, I connect to Mt. Gox, and use the Yubikey to generate another OTP. If a Trojan sniffs the first OTP, will it be able to use it later on to login? I see, thanks for clarifying. Someone should write an "OTP for Bitcoin dummies" article. |