6/19/2023 0 Comments Yubikey 5 nfc lastpass![]() ![]() If i wish to get through this pop up window, i'd have to open up Google Authenticator on my S9+ phone, and remember the code, then type it inside the pop up window - all on my phone. It opens up Google Authenticator first via a pop up window on my Samsung S9+ (that is the backup that i selected when configuring the 2FA on Lastpass on my desktop PC). In both cases, a PIN applied to your Yubikey can prevent either attack from working, unless you're in the group of YK NEO users which have a fault key that can have the PIN overridden. Both Google Authenticator/Authy/whatever and Yubikey are subject to this vulnerability because they have a clock which a user can manually reset. The attacker would have to keep careful track of the codes for each time period, and could only use them at that time, but they could theoretically request codes a week, month, or more in the future. However, it is possible in many cases to just set the clock ahead on the device and determine what the codes will be. ![]() TOTP theoretically doesn't have that problem, as the codes are only valid while the person possesses the device. However, if you get your device back and use it just once, all 100 codes they stole aren't valid. With HOTP, an attacker could sit and get 100 codes out of your device if they have access to it, and keep using them whenever they want. TOTP has the benefit of being only valid for a 30 second window where are HOTP is valid for an indeterminate amount of time. The code is technically valid forever, until it is used or a code newer than it is used. For HOTP, you'd see the code listed as "-" and then you'd touch that line and it would turn to something like "123 456" and stay visible for ~2 minutes before switching back to "-". OATH-HOTP is a code that changes whenever you need it. It's a code that changes based on time (that's the first T in TOTP). ![]() OATH-TOTP is what almost every Google Authenticator/Authy/etc type setup is. ![]()
0 Comments
Leave a Reply. |