[kelnage]

[-You would be correct if-] It seems you are correct when the protocol works as described in the parent comment.

[-But it so happens that the-] Of course in OTP mode, the YubiKey protocol protects against replay attacks by using a counter on the YubiKey. This (authenticated) counter value is included in the messages that are exchanged during the authentication - and hence any replays can be detected/ignored as the counter value will be less than or equal to the last received counter value.

Edit (deletions marked with [- -]): I had no idea people used modes other than OTP with their YubiKey...

[cromantin]

Unfortunately parent is right. What you describe is using generated one time passwords. But there is no way (to my knowledge) to incorporate 2nd string into it.

Ex: right now - myPass<boop the yubikey><long password from yubikey followed by linefeed>

with otp - myPass<boop><hashed and signed one time password that no nothing about myPass>

[kelnage]

Wow, I had no idea YubiKey offered that mode of operation. I had assumed it was purely used as a OTP. Do you know of any documentation for it?

[cromantin]

This was like 6 years ago :) If i remember correctly it was https://www.yubico.com/wp-content/uploads/2015/11/Yubico_Whi...

I had a blog post some time ago - https://varamashvili.blogspot.com/2012/09/using-yubikey-with...

I should note that currently i'm thinking to migrate to OTP and use brain-string (password that i remember) for filevault and mac login. I will try using OTP for sudo, maybe keychain, will try to add gpg subkey there and see how it'll go.