User: Password:
Subscribe / Log in / New account



Posted Dec 9, 2011 0:49 UTC (Fri) by wahern (subscriber, #37304)
In reply to: Yubikey by Yenya
Parent article: Google Authenticator for multi-factor authentication

Regarding the central authority, it's no different than any other method--the server needs access to the secret (or public key) in order to authenticate. Just put the secret on all the servers.

It doesn't matter if the HOTP counters on the servers become out of sync with each other as long as the counter on the key is monotonically increasing. The servers will fast forward until they find a match (within a configurable limit).

Admittedly you open yourself up to replay attacks. But you're hardly in a worse position than with regular passwords. TOTP is better in this regard, but what matters is how much better HOTP is compared to the baseline.

I pine for the day when my Goldkey USB crypto token works out-of-the-box (or my 10 year old Schlumberger crypto card, for that matter), but that day isn't here yet.

(Log in to post comments)


Posted Dec 9, 2011 1:01 UTC (Fri) by wahern (subscriber, #37304) [Link]

Has anybody purchased tokens from They're the only seller of single-unit TOTP tokens I have found so far, and other than Goldkey of public-key crypto tokens as well.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds