Mt. Gox - are OTPs generated by Yubikeys time-dependent?

[ripper234]

If I use a Yubikey on Mt. Gox, can a trojan capture this key, and reuse it some time in the future?

Actually, if you are using a MtGox yubikey as 2FA, you are similarly not protected by keyloggers - they don't validate the whole token, they just use the first so many digits (the serial number of the key) as the second factor. 
Unfortunately, LastPass does the same damn thing for offline access. 
[/quote]

[rjk]

If I use a Yubikey on Mt. Gox, can a trojan capture this key, and reuse it some time in the future?

Actually, if you are using a MtGox yubikey as 2FA, you are similarly not protected by keyloggers - they don't validate the whole token, they just use the first so many digits (the serial number of the key) as the second factor. 
Unfortunately, LastPass does the same damn thing for offline access. 

You are reading my statement wrong. I was saying that specifically about blockchain.info. On MtGox, the yubikey is still a one-time password generator, although it never has been time dependent. It is not a TOTP token. Read more at http://yubico.com/

[ripper234]

You are reading my statement wrong. I was saying that specifically about blockchain.info. On MtGox, the yubikey is still a one-time password generator, although it never has been time dependent. It is not a TOTP token. Read more at http://yubico.com/

So, you mean that every password generated by a Yubikey can only be used once on Mt. Gox ... but that one time can be in whatever time in the future.

Suppose I generate a Yubikey, and for fun just generate an OTP into notepad, to test that it works.
Then, I connect to Mt. Gox, and use the Yubikey to generate another OTP.
If a Trojan sniffs the first OTP, will it be able to use it later on to login?

[rjk]

You are reading my statement wrong. I was saying that specifically about blockchain.info. On MtGox, the yubikey is still a one-time password generator, although it never has been time dependent. It is not a TOTP token. Read more at http://yubico.com/

So, you mean that every password generated by a Yubikey can only be used once on Mt. Gox ... but that one time can be in whatever time in the future.

Suppose I generate a Yubikey, and for fun just generate an OTP into notepad, to test that it works.
Then, I connect to Mt. Gox, and use the Yubikey to generate another OTP.
If a Trojan sniffs the first OTP, will it be able to use it later on to login?

If you generate an OTP, it can be used any time in the future unless you generate another one and use it. Using a later OTP invalidates all previous OTPs.

[ripper234]

You are reading my statement wrong. I was saying that specifically about blockchain.info. On MtGox, the yubikey is still a one-time password generator, although it never has been time dependent. It is not a TOTP token. Read more at http://yubico.com/

So, you mean that every password generated by a Yubikey can only be used once on Mt. Gox ... but that one time can be in whatever time in the future.

Suppose I generate a Yubikey, and for fun just generate an OTP into notepad, to test that it works.
Then, I connect to Mt. Gox, and use the Yubikey to generate another OTP.
If a Trojan sniffs the first OTP, will it be able to use it later on to login?

If you generate an OTP, it can be used any time in the future unless you generate another one and use it. Using a later OTP invalidates all previous OTPs.

I see, thanks for clarifying.
Someone should write an "OTP for Bitcoin dummies" article.