CodingWho said "one time pad"? As you say, that's impossible (without eventually using up the limited amount of authentication data on the device). Granted, you can only have so much entropy, but... well, that's getting off-topic.
This is more like a hash between some private data stored on the device in a non-retrievable manner and the current time. That's how a naive implementation (like the one I built 15 years ago) would work, anyhow; this is by well-respected folks who've been in the business for years (and who've been collaborating on standards that some big names -- Google and such -- have signed on to). Inasmuch as I can trust anyone's work without directly reviewing it / reading the papers, YubiKey are folks who are pretty well trustworthy.
CharlesDuffyI appologize! You are right. I read "one time pad" instead of "One-Time Password". Makes a lot more sense...
So user can use the same password multiple times without others noticing it.
offtopic:
if google signs up the nsa seems to be fine with it...
maybe it is better if google does not sign up? :D
CodingNot just not noticeable, but not reusable (beyond a window), since the current time is part of the hash. (Alternate schemes rotate based on number-of-uses, rather than by time).
On the other topic -- just because the NSA has compromised links between Google's datacenters doesn't mean Google is okay with that. Quite the contrary, rather.
This is more like a hash between some private data stored on the device in a non-retrievable manner and the current time. That's how a naive implementation (like the one I built 15 years ago) would work, anyhow; this is by well-respected folks who've been in the business for years (and who've been collaborating on standards that some big names -- Google and such -- have signed on to). Inasmuch as I can trust anyone's work without directly reviewing it / reading the papers, YubiKey are folks who are pretty well trustworthy.
offtopic: if google signs up the nsa seems to be fine with it... maybe it is better if google does not sign up? :D
On the other topic -- just because the NSA has compromised links between Google's datacenters doesn't mean Google is okay with that. Quite the contrary, rather.