id summary reporter owner description type status priority milestone component resolution keywords cc 729 Check YubiKey password before user password Nicklas Nordborg Nicklas Nordborg "The current implementation we first check if the regular user password is correct or not. If it is not correct an error message is displayed and the !YubiKey OTP is never checked. This means that we are left with a valid !YubiKey OTP not accounted for that could potentially be snapped up and used by someone else. Ok, this is not as bad as it first sounds since !YubiKey keeps track of the sequence of generated OTPs. Eg. an unusued OTP becomes invalid as soon as new OTP has been generated and validated against the server." enhancement closed critical YubiKey v1.2 net.sf.basedb.yubikey fixed