In the course of fooling around I read that there are some sites that allow using OTP against Yubico’s servers? I didn’t try that.
Yubikeys can indeed also be used with the proprietary “YubiCloud”, a list of 5 servers in various locations in the world. It is also possible to run your own, but I think you need to “reprovision” the Yubikeys then to bind them to your validation servers.
It seems everyone is focusing on either TOTP or U2F for 2FA. Unfortunately Firefox does not (yet) support U2F, and U2F also poses issues for non-browser protocols where you’d need to modify the client to support U2F instead of just accepting keyboard input from the Yubikey. I implemented Yubikey support for OpenVPN, which was rather easy as you just press the Yubikey when selecting the password field when connecting to the VPN, not sure how to support U2F this way without modifying all clients.
Yubikey does not support TOTP because the devices have no internal battery and therefore can’t keep time, which is central to TOTP. They can do counter based OTP (HOTP), but that’s a pain to use because keys get out of sync (like old RSA SecurID physical tokens).
Yubikeys can indeed also be used with the proprietary “YubiCloud”, a list of 5 servers in various locations in the world. It is also possible to run your own, but I think you need to “reprovision” the Yubikeys then to bind them to your validation servers.
It seems everyone is focusing on either TOTP or U2F for 2FA. Unfortunately Firefox does not (yet) support U2F, and U2F also poses issues for non-browser protocols where you’d need to modify the client to support U2F instead of just accepting keyboard input from the Yubikey. I implemented Yubikey support for OpenVPN, which was rather easy as you just press the Yubikey when selecting the password field when connecting to the VPN, not sure how to support U2F this way without modifying all clients.
Yubikey does not support TOTP because the devices have no internal battery and therefore can’t keep time, which is central to TOTP. They can do counter based OTP (HOTP), but that’s a pain to use because keys get out of sync (like old RSA SecurID physical tokens).
Well, there is Yubico Authenticator that does support TOTP. You need this “companion” app, which is not great, but it can work.