u2f
David Woodhouse
dwmw2 at infradead.org
Thu Feb 5 11:28:03 PST 2015
> Using something like a Yubikey Nano in HOTP mode is a usability
> improvement over these, although you do still need to worry somewhat
> about focusing on the text input field, avoiding double taps, etc.
I wasn't thinking of the HID mode. I was thinking of the CCID mode where
you actually talk to it as a smartcard, which is supported by OpenConnect.
So it supports TOTP and can theoretically do OATH with server-supplied
challenges.
>> I guess so. The advantage however of U2F over HOTP/TOTP is that you
>> don't need an additional shared secret with the server. The relation is
>> pretty asymmetric as the server only needs to hold your public key
>> similarly to ssh.
Right. I understand the benefit of it not being a single shared secret.
But in many way that is orthogonal to the actual exchange of challenges
and responses.
> One reason you might not want to leave an HOTP token in the slot is
> that somebody could tap the token when you aren't looking and
> pre-generate a bunch of tokencodes. i.e. the tokencode doesn't prove
> that the hardware token was physically present at the time of the
> access request.
With OATH (and to a large extent TOTP) it *does*. Those modes aren't
available in HID mode though. The device doesn't even have a clock.
--
dwmw2
More information about the openconnect-devel
mailing list