YubiKeys combat malware, phishing, and man-in-the-middle attacks by ensuring that the user is physically at their device to log in. With the Yubikey in the user’s possession, unauthorized users cannot unlock access to networks, accounts, and cloud-based services.
Apart from the general advantages of 2-factor authentication, Yubico OTP has the following characteristics:
- No client software needed. The OTP is just a string. If you can send a password, you can send an OTP.
- YubiKey ID embedded in OTP. This allows for self-provisioning, as well as authenticating without a username.
- Easy to implement. Using YubiCloud, supporting Yubico OTP is not much harder than supporting regular passwords.
A Yubico OTP is a 44-character, one use, secure, 128-bit encrypted Public ID and Password, near impossible to spoof. The OTP is comprised of two major parts: the first 12 characters remain constant and represent the Public ID of the YubiKey device itself. The remaining 32 characters make up a unique passcode for each OTP generated.
The passcode is generated from a multitude of random sources, including counters for both YubiKey sessions and OTPs generated. When a Yubico OTP is verified, the session and OTP counter values are compared to last values submitted. If the counters are less than the previously used values the OTP is rejected. Copying an OTP will not allow another user to spoof a YubiKey — the counter value will allow the validation server to know which OTPs have already been used.