By: Conan Malone user 26 Jul 2017 at 9:29 a.m. CDT

1 Response
Conan Malone gravatar
I was just wondering what approach would be best to allow Yubikeys to generate OTPs (HOTP based) to authenticate against Gluu? By using the Yubikey Customization Tool I can generate a unique seed (or secret key) that can then be used to determine if the Yubikey has produced the correct OTP but my understanding is that the custom OTP script is only compatible with Google Authenticator (or equivalent mobile app)... I also understand that U2F is very similar to what I am asking but I would just like the option of being able to generate a string that can be used as the OTP as some browsers aren't compatible with U2F (also doesn't work within remote desktop)

By Michael Schwartz staff 27 Jul 2017 at 1:22 p.m. CDT

Michael Schwartz gravatar
We include a [script for Yubicloud](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/yubicloud), which I think verifies the OTP code. Also, there are some open source yubikey validation servers: * [yubico yuvikey-val](https://github.com/Yubico/yubikey-val) * [yubikeyedup](https://github.com/scumjr/yubikeyedup) * [node-yubikey](https://github.com/jedp/node-yubikey) There is also a [python](https://github.com/Kami/python-yubico-client) and [java](https://github.com/Yubico/yubico-j) validation library, either of which could be incorporated directly into an authentication script. If you have some budget, we'd be happy to manage a bounty on this feature. One of our subcontrators would surely take it on.