Yubico Team

Securing OATH Secrets on Android

Some people are concerned about the risk of storing cryptographic secrets on Android devices – for example, those used to generate One Time Passcodes (OTP) from Google Authenticator.  The production YubiKey NEO is the perfect companion to Android devices with NFC support.  By bringing your YubiKey NEO close to the back of the Android device (such as the Nexus 4 from Google), Android Apps can use the YubiKey NEO’s challenge response capability to generate an Open AuTHentication (OATH) time based OTP – such as those used by Google Apps and Dropbox.  And we have created a sample Android App to show this.  [Update] Take a look at the video here.

YubiTOTP Android Widget from Yubico on Vimeo.


When you first enable 2-step verification on Google Apps or on DropBox, you are presented with a 2D matrix code which contains the cryptographic secret used to create the OTPs.  Our YubiTOTP Android App reads this (using Google’s open source scanner app); however, instead of storing the secret on the Android file system, it programs one of the YubiKey NEO’s slots with the secret as part of an HMAC-SHA1 challenge/response configuration.  The secret can not be recovered from the YubiKey NEO, however, UNIX time can be sent to the YubiKey NEO (over NFC or via the USB connector) and the result truncated by the App to produce the OTP – which is displayed on the screen or can be put on the clipboard.

If you lose your Android Phone – or it dies, you just get a new one and reload the App – the secret stays in the YubiKey NEO!

[Update] We have enhanced the app to include a re-sizable home screen widget – just tap on the YubiKey icon and prompts you swipe your YubiKey NEO and displays the 6-digit OATH code on the icon.

Download the app here.  Let us know what you think…

Want to install it directly to your Android Device? Download the .apk file here.

5 responses to “Securing OATH Secrets on Android”

  1. teddy says:

    very good idea.
    One of the best NFC use

  2. JB says:

    “If you loose your Android Phone”

    LOOSE? Really? How do you “loose” your phone? Umm, how about “LOSE” ?

  3. David Maples David says:

    Thanks for pointing that typo out – fixed!

  4. Callum says:

    Very interesting. Does the YubiTOTP app allow me to program the YubiKey over NFC? Will it allow me to choose which slot to use?

    PS> Be great if you had a subscribe to comments plugin installed on the blog so I could receive email notifications of replies… 🙂

  5. Klas Lindfors Klas says:

    Yes, the app allows programming a slot with an HMAC-SHA1 credential over NFC. And Yes, you can choose which slot to put it in.

    Thank you for the suggestion, we’ll take it under consideration.