> Using something like a Yubikey Nano in HOTP mode is a usability > improvement over these, although you do still need to worry somewhat > about focusing on the text input field, avoiding double taps, etc. I wasn't thinking of the HID mode. I was thinking of the CCID mode where you actually talk to it as a smartcard, which is supported by OpenConnect. So it supports TOTP and can theoretically do OATH with server-supplied challenges. >> I guess so. The advantage however of U2F over HOTP/TOTP is that you >> don't need an additional shared secret with the server. The relation is >> pretty asymmetric as the server only needs to hold your public key >> similarly to ssh. Right. I understand the benefit of it not being a single shared secret. But in many way that is orthogonal to the actual exchange of challenges and responses. > One reason you might not want to leave an HOTP token in the slot is > that somebody could tap the token when you aren't looking and > pre-generate a bunch of tokencodes. i.e. the tokencode doesn't prove > that the hardware token was physically present at the time of the > access request. With OATH (and to a large extent TOTP) it *does*. Those modes aren't available in HID mode though. The device doesn't even have a clock. -- dwmw2
