Comments (4)
dainnilsson
commented on July 27, 2024
The current behavior is actually very much "by design". As this app requires a physical action (tapping your YubiKey against the phone) to generate new codes, it's not possible to automatically roll over to the next codes once the current ones expire. Since it wouldn't be very useful to display codes that are only valid for a few (say, less than 10) seconds, the app instead chooses to generates codes that strictly speaking may not yet be valid, but are not just about to expire. Servers take into account that device clocks are not perfectly synchronized, and for the time needed for the user to input a code, by allowing for codes which are slightly too old, or even slightly to early, to be accepted. We've opted for a "not-strictly-correct" approach which seems to work very well in practice and gives a consistent and useful user experience with the app. While we haven't seen any problems with this approach, please let us know if you've encountered issues with authenticating that are due to this strategy.
from yubioath-android.
dainnilsson
commented on July 27, 2024
Closing this issue now, but feel free to re-open it if it is causing problems for you.
from yubioath-android.
mjbnz
commented on July 27, 2024
Thank you for the response. That's a fairly elegant way to deal with the intentional design of not automatically cycling to new codes.
However, this has caused me an issue at least once - and only with one site - evernote.com. The others seem to be quite generous as you suggest.
Can I suggest an alternative solution?
- Display the correct 'current' code
- Display the correct remaining time with the bar at the top of the screen
- Roll over once, but only if the time remaining at the time of tap is less than 30% or so.
This assumes that the algorithm for generating codes is contained within the app, and not the key (I am assuming that only the secret key is stored on the yubikey, and it's not a transaction with the app passing a timestamp to the yubikey to have the codes generated and returned?)
Please note that this is not me trying to find a solution for one problematic site (that I barely use anyway), but more to resolve what is to me an ambiguous display of information.
from yubioath-android.
mjbnz
commented on July 27, 2024
Just noticed your comment:
it's not possible to automatically roll over to the next codes once the current ones expire
In which case my suggested alternative is a non-starter anyway. If in fact what happens is the key is passed a timestamp and it returns codes, kudos - that's a really neat way to securely do it and protect the secret keys.
(However, perhaps two timestamps could be passed? keep the second result to display n seconds later
from yubioath-android.
Related Issues (20)
- Error in communication HOT 3
- support for otpauth-migration://offline HOT 2
- No prompt for device permissions
- Feature Request: Support Yubico Authenticator on Chromebooks with USB-C HOT 1
- Yubico Authenticator not recognizing Yubikey 5C Nano on Chromebook Android HOT 3
- Yubikey 5C Nano not working on Samsung S7 HOT 4
- "Error in Yubikey Communication" in both my primary and backup keys HOT 6
- camera dependency not yet available, please try again later. HOT 6
- Yubioath available on "cleanapk"? HOT 1
- NFC Error in YubiKey communication HOT 13
- oops
- Devices without NFC shouldn't prompt to tap YubiKey HOT 1
- Feature request: Configurable password & list cache time HOT 1
- Yubico
- cccccbcctctbjdggntnhkbdrhfbfgekgglvtvelehhnr
- Yubico Authenticator is no longer on the Play Store HOT 5
- So what's the status of this app? HOT 4
- Request feature OATH password timeout custom setting, clear list accounts from dialog HOT 1
- Feature Request: Sync and/or transfer accounts HOT 3
- Themed icon HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yubioath-android.