Hi Automatic,
since I am not so experienced in PC-Technologie I can`t follow your accusations.
I thought (and I think still) there are no informations sent during Login with yubikey .
The OTP runs immediately as it is shown in the login-button as you press the yubikey Key.
there is no time to send Informations to yubikey Servers and getting back verified.
Yes, it's generated on the Yubikey the second you hit the button and not sent to the Yubico servers, but, who knows if that code is legitimate? Only Yubico, so, the program has to ship that little code off to Yubico and Yubico either returns with a "Valid" or "Invalid" response once you login to the service.
How it knows (From what I've gathered) is that the Yubikey output is 48bytes, 16 bytes are unique to the Yubikey (and never change, the first sixteen characters), and, the last thirty two bytes change, they change based on
mainly one thing,
the number of times you've pressed the button (They also change based on how many milliseconds since you plugged the device in, a random seed implemented at manufacturing, how many times you've pushed the button this session, etc...).
Now, this is shipped off to Yubico, and, they verify if the amount of times you've pushed the button is
more than the last time you pushed the button, if so, they validate you, if not, they don't. This means if I push the button three times, then send the last code off, then send either of the other two codes, they'll know they've been sent out-of-order and disallow the first and second code.
The
ONLY way I can see Yubikey being implemented into Armory is if you encrypt your wallet using the
static password feature of the Yubico Yubikey, which, currently already works, unfortunately, with the design of the Yubico Yubikey, this uses up one of your two configurable slots.
