0

I have an automated script getting some data from an internal site. This works fine, but to log in, the user needs to authenticate using a passcode + yubikey. The user will be running the code on a machine where the yubikey is plugged into a usb port.

Question is - can I get a response from the yubikey without the user having to touch it? So, is there some way I can trigger a response from the yubikey in Javascript?

Daniel A. White
  • 187,200
  • 47
  • 362
  • 445
JasperD
  • 152
  • 1
  • 3
  • 15
  • 3
    That would be an exploit, so if anyone has an answer please report it to Yubico instead of listing it here. – Dave S May 16 '19 at 19:10
  • It seems like HMAC-SHA1 Challenge-Response, and perhaps OATH-HOTP would be able to do this (assuming the touch policy is set to allow it): https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#HMAC-SHA1_Challenge-Responseh8ezjp – thebjorn May 16 '19 at 19:23
  • Javascript would not be the way to do it. You'd have to have a helper script written in another language and catch the results with javascript somehow. This is much too complicated to be a simple coding question, and this has security implications also. – shadow2020 May 16 '19 at 19:29
  • @DaveS - why though? It's running on the user's computer and would still require the passcode together with the response. Everything in my questions/code would be in a way that the user is aware of this happening by the way. – JasperD May 16 '19 at 19:35
  • @thebjorn-thank you,i'll have a read – JasperD May 16 '19 at 19:37
  • @shadoe2020-cotcha, well, i'll write it off as "not possible" then :) – JasperD May 16 '19 at 19:38
  • `Everything in my questions/code would be in a way that the user is aware of this happening by the way.` -- perhaps for your scripting, but what about malicious scripting that someone else writes, that authenticates without the user realizing it then automatically makes a purchase, adds contacts, scrapes contacts and sends elsewhere, whatever? – Dave S May 16 '19 at 19:54
  • @DaveS fair enough - hadn't thought about that to be honest. However, still needs the passkey and username though? – JasperD May 16 '19 at 19:59

0 Answers0