Yubico news and comments on strong two-factor authentication and secure online identity
Securing OATH secrets on Android
January 16, 2013 | Yubico Team | 5 Comments
Some people are concerned about the risk of storing cryptographic secrets on Android devices – for example, those used to generate One Time Passcodes (OTP) from Google Authenticator. The production YubiKey NEO is the perfect companion to Android devices with NFC support. By bringing your YubiKey NEO close to the back of the Android device (such as the Nexus 4 from Google), Android Apps can use the YubiKey NEO’s challenge response capability to generate an Open AuTHentication (OATH) time based OTP – such as those used by Google Apps and Dropbox. And we have created a sample Android App to show this. [Update] Take a look at the video here.
When you first enable 2-step verification on Google Apps or on DropBox, you are presented with a 2D matrix code which contains the cryptographic secret used to create the OTPs. Our YubiTOTP Android App reads this (using Google’s open source scanner app); however, instead of storing the secret on the Android file system, it programs one of the YubiKey NEO’s slots with the secret as part of an HMAC-SHA1 challenge/response configuration. The secret can not be recovered from the YubiKey NEO, however, UNIX time can be sent to the YubiKey NEO (over NFC or via the USB connector) and the result truncated by the App to produce the OTP – which is displayed on the screen or can be put on the clipboard.
If you lose your Android Phone – or it dies, you just get a new one and reload the App – the secret stays in the YubiKey NEO!
[Update] We have enhanced the app to include a re-sizable home screen widget – just tap on the YubiKey icon and prompts you swipe your YubiKey NEO and displays the 6-digit OATH code on the icon.
Download the app here. Let us know what you think…
Want to install it directly to your Android Device? Download the .apk file here.
5 Responses to “Securing OATH secrets on Android”
Leave a Reply
You must be logged in to post a comment.