Skip to content

Yubikey OTP Secret

Service Name: Yubico (YubiKey)

Service Description: YubiKey is a hardware authentication device manufactured by Yubico that provides strong two-factor authentication through one-time passwords (OTP). The YubiKey OTP secret is the cryptographic key stored on the YubiKey device that generates one-time passwords.

Service Address: https://www.yubico.com/

Validation Type: API Auth

IP Allow list: Does not exist at the secret level, but can be implemented at the service integration level depending on the authentication server configuration.

Secret Access Scope: Grants the ability to generate valid one-time passwords for authentication to services that support YubiKey OTP.

Secret Revokement URL: https://www.yubico.com/support/security-advisories/

Secret Example: vvCCccGGhhTTiiUUjj

Suspicious Activity Investigation Instructions:

  • Check authentication logs for unusual login patterns or locations.
  • Review the YubiKey device's physical security and ensure it hasn't been compromised.
  • Verify if there are any unauthorized authentication attempts using the YubiKey.
  • Check if the YubiKey has been registered to unauthorized services.
  • Monitor for any authentication events that don't correspond to legitimate user actions.

Mitigation Instructions:

  • Immediately deactivate the compromised YubiKey in your authentication systems.
  • Remove the YubiKey from all associated accounts and services.
  • Register a new YubiKey device with fresh credentials.
  • Update your authentication server to reject the compromised YubiKey's OTPs.
  • If using YubiCloud validation service, contact Yubico support to revoke the compromised key.
  • Review and update your security policies regarding physical security of authentication devices.
  • Consider implementing additional authentication factors for sensitive systems.