How do OTP USB sticks work?

Question

I just discovered the YubiKey NEO which seems like a pretty awesome device for maintaining security for a variety of different things including computer login, SSH private keys, GPG private keys, and even password safes applications.

I generally understand how systems like Google Authenticator work, wherein the server and the client share a private key which generates 6-digit number keys based on the current time. This makes sense, as both sides need to compute these values on the fly and verify them. The client generates a key, sends it to the server, and the server computes the key based on the current time; if it matches, a successful login occurs.

However, in other cases, notably in static files like private SSH keys, private GPG keys, and password safes, how would something like the YubiKey NEO assist in being able to unlock the private file? Encrypting these files using a passphrase or using a file as a seed for a passphrase is straightforward, but how would one-time passwords work with this?

My particular use-cases are:

• Being able to log into my Linux desktop.
• Being able to further secure my GPG private keys.
• Being able to further secure my SSH private keys.
• Being able to further secure my password safe (KeePass, Password Safe, etc.).

Answer 1

The YubiKey NEO is a unique One-Time Authentication device which combines the functionality of a YubiKey Hardware Authentication device with the extended capabilities of a smart card, without requiring additional drivers or software.

The YubiKey NEO has 3 major elements - the first is the YubiKey element, which allows the YubiKey to be used as a configurable hardware authentication device, capable of hold 2 independent configurations. Each configuration can be set to generate codes using the Yubico OTP, OATH-HOTP, a challenge-response configuration or a simple static password. All of the validation sever software used to support the YubiKey modes is also open source. In fact, a number of password managers have already integrated the YubiKey into their offerings - https://www.yubico.com/applications/password-management/consumer/

One of your use cases is the requirement to log into your Linux desktop. This can be simply done using the YubiKey and the Yubico - PAM module (https://developers.yubico.com/yubico-pam). The same Module can also be used to secure your SSH with second factor authentication as well (https://hak5.org/episodes/hak5-1114).

The second element of the YubiKey NEO is the secure element on the NEO which allows for smart card based functionality, including using the YubiKey NEO as a PIV compliant smart card for holding certificates (https://developers.yubico.com/yubico-piv-tool/doc/YubiKey-NEO-PIV-Introduction.html). Further, the YubiKey NEO has an OpenPGP applet, used to securely hold your private keys on the YubiKey itself, preventing them from being expose should your system become compromised (https://www.yubico.com/2012/12/yubikey-neo-openpgp).

Finally, the YubiKey NEO is the first device to support the revolutionary new protocol, U2F (https://fidoalliance.org/adoption/video/yubico-fido-alliance-universal-2nd-factor-u2f-demonstration). This next generation authentication protocol looks to provide the security of a smart-card based solution with the ease of integration and support of a traditional hardware authentication token system.