Applications:A Backup Yubikey
From Yubico
Contents |
Yubikey backup, keyed-alike OTP by Concept Only (JH2009)
At time of sale, offer a single Yubikey with a matching OTP.
The idea of losing a yubikey is a recurring concern that can be eliminated. This can be done with no change to the current Yubikey architecture or hardware. A single Yubikey backup would give piece of mind now using the current Yubikey system! ------------------------------------------------- These keyed-alike[1] OTP Backup Yubikeys would only be sold in pairs.
It can be done today!
This type of back up system would require no changes to Yubikeys as we know them today.
So how is this possible? -Yubico would need to make a small marketing addition. -Place matching OTP info from a standard Yubikey into a special red one. -Set the counter of the matching OTP Red-Yubikey to 64001. -Perhaps stamp/mark both Yubikeys physically, or just attach a tag on the Red-Yubikey (should it remain black that is).
Technical How To: Parallel Usage ID
The Yubikey doesn't allow for parallel usage, and this is done by design. (ie. replay attacks)
So to stay within the current design limitations I'm proposing that Yubico could currently do the following
- Split the Session Counter KeyA = 1 - 64000, KeyB = 64001 - 65536
- Make KeyB of firetruck red plastic (or clearly mark/tape/wrap-up the KeyB as the backup and only good for 1535 uses)
- Put a random 4 character code or serial on back (could be small, and just melt/laser them into plastic?)
- Ship with a note to inform that once the (KeyB) Red-Backup Yubikey is used the other key would become useless.
The main Yubikey KeyA would be good for just 64000 sessions (10 uses/day for 365days/year should give 17.5 years of use)
The (KeyB) Red-Backup Yubikey would be good for just 1535 sessions, but that should be plenty to switch everything over to a new set of Yubikeys.
Recommend that the main Yubikey KeyA would stop generating OTP's at the 64000 sessions mark. But that may not be necessary.
Having that 64000 session limit would be a nice safety net, because once it stops working you must use the red one, and order a new set.
Reference
Yubikeys with keyed-alike/matching OTP (alias: Yubikals) is a separate concept:
http://wiki.yubico.com/wiki/index.php/Applications:Keyed_alike_Yubikeys
Yubikey Technical Information is found here:
http://wiki.yubico.com/wiki/index.php/Yubikey
Your Vote will simply let Yubico know if a backup Yubikey is desirable.
History/Info-Update
I just wanted to inform people who may not be aware, of the history behind the Yubikey.
This Wiki page describes 1 of 2 "backup" solutions with the other entitled "Keyed alike Yubikeys".
http://wiki.yubico.com/wiki/index.php/Applications:Keyed_alike_Yubikeys
Both articles were written when version 1 of the Yubikey was written.
Both provide a relatively different solutions to the same problem, based on what the hardware could do back then.
I have since resolved my backup issues with version 2.2 Yubikeys and the "Yubikey Configuration Utility" version 2.2.0
With them I created the same static password in slot 1, and generated different OTPs in slot 2, & registered that OTP info with Yubico servers, for several Yubikeys.
This lets me use one Lastpass account with several Yubikeys. (Lastpass allows up to 5 Yubikey OTPs with a paid subscription).
Please visit the Yubico Forum for more up to date info on how to accomplish what I've described above. http://forum.yubico.com/
