Add OATH-HOTP support

DrOteonu · March 9, 2021, 8:56pm

Does OnlyKey support OATH-HOTP? I searched throughout the complete site, and only could find OATH-TOTP.

Thanks in advance

t11 · March 9, 2021, 9:23pm

No two factor methods supported are TOTP, Yubikey OTP, and FIDO2

DrOteonu · March 10, 2021, 3:32pm

That is a pity! And quite a disappointment. I bought the onlykey because it seemed to support almost all prevalent authentication protocols. At my university OATH-HOTP is used for all online services, and I need to login a lot being a lecturer…

About the future: it it expected to be added? Is it a matter of a firmware upgrade, or does it require hardware changes to the onlykey?

t11 · March 10, 2021, 3:51pm

It is not an expected feature. We do not support this as its so rarely used, that is very interesting that your university uses HOTP for all online services, I have never seen it deployed widely like that. Usually TOTP is used.

Added this thread to feature requests. If there are is wide interest in this feature we would consider adding it. If anyone else is interested please like post here.

DrOteonu · March 10, 2021, 4:46pm

Ah, it is utrecht university, the 2nd largest Dutch university.

They use OATH-HOTP for everything, since january 2021. If you support it, you have 37,000 additional potential users (30,000 students, 7000 employees).

Mango_Mungo · March 10, 2021, 6:53pm

I am amazed that a UNI in 2021 will introduce this old, unsecure standard. yubico: What are the drawbacks of HOTP?
TOTP, U2F and especially WebAuthn (FIDO2) is the way to go 2021.

And of course sk-ssh-ed25519 for terminal login. Longingly awaiting Debian Bullseye release to upgrade my servers.

DrOteonu · March 12, 2021, 5:15pm

If that is true, that is indeed remarkable. Thanks for the link.

youngwitches69 · May 12, 2021, 7:27pm

No, it would only require some minor changes to the firmware and the OnlyKey apps.

bruscinodf · January 30, 2023, 3:51pm

Do you have any ETA for the OATH-HOTP support?

t11 · January 30, 2023, 5:54pm

We do not plan to support as OATH-HOTP is not recommended for security reasons.

bruscinodf · January 31, 2023, 8:02am

@t11 I see your point but many platforms support HTOP and not requiring a clock it could work also on computers without the OnlyKey app.
Moreover many competitors support it, i.e. the YubiKey 5 Nano FIPS that is FIPS 140-2 validated (Yubico YubiKey 5 Nano FIPS | NIST Validated Security Key | USB-A).
You product is powerful and I could contribute to your open source project to add this feature, WDYT?

t11 · January 31, 2023, 2:24pm

If you would like to contribute this feature to the firmware we may be able to add this feature to the firmware and configuration via the OnlyKey CLI. It would require additional changes to add to the OnlyKey App.

Topic		Replies	Views
Issue(s): Yubikey OTP Functionality Not Working As Expected & Support on Ubuntu 18.04 Cannonical	2	618	February 2, 2021
Onlykey will not register/recognize as Yubikey	6	620	May 9, 2021
Newbie question about 2FA Two Factor Authentication	1	310	August 16, 2021
Any chance of tutanota mail support	1	195	May 3, 2022
Lastpass and Yubico OTP Two Factor Authentication	7	485	December 9, 2022

Add OATH-HOTP support

Related Topics