OTPs Explained

A Yubico OTP is a 44-character, one use, secure, 128-bit encrypted Public ID and Password, near impossible to spoof. The OTP is comprised of two major parts: the first 12 characters remain constant and represent the Public ID of the YubiKey device itself. The remaining 32 characters make up a unique passcode for each OTP generated.

Example output from a YubiKey where the button has been pressed three times

cccjgjgkhcbbirdrfdnlnghhfgrtnnlgedjlftrbdeut

cccjgjgkhcbbgefdkbbditfjrlniggevfhenublfnrev

cccjgjgkhcbbcvchfkfhiiuunbtnvgihdfiktncvlhck

The passcode is generated from a multitude of random sources, including counters for both YubiKey sessions and OTPs generated. When a Yubico OTP is verified, the session and OTP counter values are compared to last values submitted. If the counters are less than the previously used values the OTP is rejected. Copying an OTP will not allow another user to spoof a YubiKey — the counter value will allow the validation server to know which OTPs have already been used.

otp_details.png