If I understand correctly, there are three concerns here:
Somebody gets to your machine while it is unlocked and the Yubikey is inserted. The user generates several OTPs, sends them to himself (email, file copy, whatever), and uses them as soon as possible (before you use another OTP). Nobody sees this happen. They do not have very much time to use the OTPs (an hour or less).
Somebody gets to your Yubikey while it is left alone. The user connects the Yubikey to their computer, generates several OTPs, and uses them as soon as possible (before you use another OTP). Nobody sees this happen. They do not have very much time to use the OTPs (an hour or less).
You discover someone playing with your Yubikey (either as part of #1 or #2, or for a different reason). You are not sure if they have generated some OTPs for themselves.
For issue #1: On most machines, there is a screen saver which will activate automatically (after some inactivity) or manually (by pressing a button on screen, pressing a special key on the keyboard, or moving the mouse to a specific location). There is another topic, where is discussed a way (in Linux) for the screen saver to automatically activate when you remove your Yubikey from the USB port, and to display the login window when inserting the Yubikey. I think somebody should work on a Windows add-on that does the same thing.
For issue #2: There are two options:
If you use software (like Rohos Login) which uses the Yubikey OTP to log in or unlock the screensaver, then as soon as you return to your computer and unlock it (or log in), the "stolen" OTPs are made useless.
Have a small software program that watches in the background to see if a Yubikey is inserted. Once it is, display a window (or taskbar alert, something unobtrusive) that asks for an OTP. Once an OTP is provided, the window should disappear, and your program should send the OTP to the validation server. You are not actually using the OTP to authenticate to anything, you are just making sure that any "stolen" OTPs are made useless. As a useful feature, warn the user if you get a suspicious error (like an OTP_REPLAYED error).
For issues #1 and #2, if you configure web sites to log you out after a shorter amount of time, this will cause you to use OTPs more often, making any "stolen" OTPs invalid sooner. For example, if you use LastPass Premium (which allows you to use the Yubikey as part of the authentication), if you can configure LastPass to prompt you to log in after unlocking the screensaver, part of the log in process will require an OTP, which will be validated, making any "stolen" OTPs useless!
For issue #3: Yubikey could provide a site (example title: "OTP Check" or "Token Sync") where you provide a OTP. Yubico takes the OTP and checks it against the validation server, instantly making all of the "stolen" OTPs useless.
So, the basic concepts are...
Keep the Yubikey with you as much as possible.
If you are separated from the Yubikey, when you return, generate and use an OTP as soon as possible!
It is costly to design, mould, manufacture, sell and support a hardware product, even something as small as this. Since you don't want your 2FA company to go out of business there is good value in knowing they have a stable business model that can actually support a company rather than just burning capital.
Check to see if the YubiKey's LED is lit - if not, the YubiKey may not be receiving power. The issue may be as simple as the YubiKey is inserted upside down for USB-A connectors. Alternatively, the USB port may not be functioning correctly - if that is the case, try on a different USB port or computer.
Do I need to keep my yubikey plugged in all the time? A. No, you only need to insert your yubikey when you are prompted to do so during login. Leaving it plugged in could result in the yubikey being lost or damaged.
However, considering a YubiKey being used five times a day, 365 days per year, it will take 18 years for the counter to get stuck. Furthermore, as this counter only increment the first time after power up / reset, the practical lifetime is even longer.
Can YubiKey work without internet? All the places/applications you'll be required to use your YubiKey will be unavailable without internet access, so you would already need internet access before needing your YubiKey.
So, what happens if you lose your YubiKey? In that case, you can still use your Authenticator app (phew!). While you can't create a backup YubiKey, you can always contact Yubico to get a replacement key.
Yubico Login for Windows is only compatible with machines built on the x86 architecture. It is not compatible with Windows on Arm (ARM32, ARM64) based machines. *customer will require a YubiKey from the 5 Series for it to function with Yubico Login for Windows.
The Yubico YubiKey 5C NFC supports many authentication protocols, so it works anywhere security keys are accepted. If you can make the most of its advanced features, such as signing and encrypting with OpenPGP, it's well worth the price.
An alternative Yubico security key is the $29 C NFC model. The USB-C key is best suited for businesses that want to implement physical 2FA procedures without spending a fortune.
Yubico highly recommends not purchasing keys from un-approved sources. Only keys purchased from our web-store or authorized resellers are valid for warranty service. Keys purchased from resellers are subject to that reseller's warranty and return policies.
Address: Suite 461 73643 Sherril Loaf, Dickinsonland, AZ 47941-2379
Phone: +2678139151039
Job: International Administration Supervisor
Hobby: Dowsing, Snowboarding, Rowing, Beekeeping, Calligraphy, Shooting, Air sports
Introduction: My name is Catherine Tremblay, I am a precious, perfect, tasty, enthusiastic, inexpensive, vast, kind person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
