Background

Based on customer feedback, Yubico has improved the validation server protocol and implementation to avoid a single point of failure, reduce network delays and improve availability.

 This page will give you an overview of the new system, a comparison with the old one and instructions on what you need to do to take advantage of the new architecture.

How does the new system work?

Yubico now operates multiple validation servers in different geographical locations. Clients will query all servers in parallel and wait for answers. Servers will not respond positively until it has synchronized the new OTP counter with the other servers, and the client will wait until it has received one positive response (i.e., OTP is valid) or until it has received one negative response (i.e., OTP is replayed).

 To support the replicated architecture, the client protocol has changed slightly: a new parameter “nonce” needs to be generated and supplied by the client. The validation protocol specification has been updated.

Here is an illustration of the new architecture:

What is the difference compared to the old system?

Earlier, Yubico only operated one master validation server (api.yubico.com). All clients talked to it. If the master server was down, no client would be able to verify their OTPs. The new system consists of five systems, api.yubico.com is one of them, but there are four new servers api2.yubico.com to api5.yubico.com.

Will old clients stop working?

Old clients will continue to work fine. Our master server api.yubico.com supports both the old and the new protocol. Of course, old clients will not get the benefits from the new system.

What benefits do I get by upgrading?

Your system will continue to work (i.e., validate YubiKey OTPs) even if some of our servers are down for maintenance or due to network outages.

How do I upgrade?

If you used one of the existing web service clients you need to upgrade to its latest version. Currently only the PHP client has been updated.

 If you implemented the web service API yourself, you need to modify your implementation. Compare the documentation for the version 1.0 validation protocol with the version 2.0 validation protocol. 

If you maintain one of the free software clients that talks to our validation server, we encourage you to update it! To give you more of an incentive, Yubico will give you a gift of five free YubiKeys if you make a public release of a web service client that supports the new validation server protocol properly (i.e., parallel queries and either HMAC or HTTPS security support).

Contact simon@yubico.com to claim your reward!