-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a function to get the public key #18
Comments
Isn't the prefix always the same length? I'm not sure what you mean by "password" in this case. |
Perfectly understandable, the technical documentation available at Yubico is really sloppy.
There is also "Advanced Encryption Standard" option available which is described within 3.3>
Seeing the coding style it doesnt hint on perfection.... |
Without knowing any identifier of the used key the usage of OTP does not make any sense. Anybody with any valid yubico key could auhtorize to a system that should be secured by a second authentication factor. Not comparing the used OTP public ID with the account data stored by your application opens the door for any account to anybody using any OTP public ID. The result is not having a proper second factor. There has to be the possibility to not only get an info about the success of the validation operation but the used OTP or better the used public ID. As long as this issue is not solved using the API provided by this repo is dangerous! |
I created a pull request that adds a simple parsing function to extract the ID |
Actually, it doesn't need to be part of the library, the library consumer can (easily) do this by extracting the 'identifier' part of the OTP provided by the YubiKey, it is a helpful little feature to have though :) |
Perfectly true. I suspect that the API in the actual state combined with the imperfect documentation misleads devs to not use it properly. On the other hand an API should provide methods and functionality that mirrors the common use cases. Getting the public ID from the result is definitively a common case if using the mechanism properly. |
Currently missing inside of this implementation of the Yubikey, is a function that parses out the public key. Commonly used within "two factor authentication".
The first 12 characters of the string according to the Yubico documentation and also known as "prefix" within the data array of Yubico's own php implementation.
With that, dont forget the password. So parsing out the first 12 characters, wont work in every situation.
The text was updated successfully, but these errors were encountered: