Yubikey Token

class privacyidea.lib.tokens.yubikeytoken.YubikeyTokenClass(db_token)[source]

The Yubikey Token in the Yubico AES mode

Create a new token object.


db_token (Token) – A database token object


A TokenClass object

classmethod api_endpoint(request, g)[source]

This provides a function to be plugged into the API endpoint /ttype/yubikey which is defined in api/ttype.py

The endpoint /ttype/yubikey is used for the Yubico validate request according to https://developers.yubico.com/yubikey-val/Validation_Protocol_V2.0.html

  • request – The Flask request

  • g – The Flask global object g


Flask Response or text

Required query parameters

Query id

The id of the client to identify the correct shared secret

Query otp

The OTP from the yubikey in the yubikey mode

Query nonce

16-40 bytes of random data

Optional parameters h, timestamp, sl, timeout are not supported at the moment.

check_otp(anOtpVal, counter=None, window=None, options=None)[source]

validate the token otp against a given otpvalue

  • anOtpVal (string) – the to be verified otpvalue

  • counter (int) – the counter state. It is not used by the Yubikey because the current counter value is sent encrypted inside the OTP value

  • window (int) – the counter +window, which is not used in the Yubikey because the current counter value is sent encrypted inside the OTP, allowing a simple comparison between the encrypted counter value and the stored counter value

  • options (dict) – the dict, which could contain token specific info


the counter state or an error code (< 0):

-1 if the OTP is old (counter < stored counter) -2 if the private_uid sent in the OTP is wrong (different from the one stored with the token) -3 if the CRC verification fails :rtype: int

check_otp_exist(otp, window=None)[source]

checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.

static check_yubikey_pass(passw)[source]

if the Token has set a PIN the user must also enter the PIN for authentication!

This checks the output of a yubikey in AES mode without providing the serial number. The first 12 (of 44) or 16 of 48) characters are the tokenid, which is stored in the tokeninfo yubikey.tokenid or the prefix yubikey.prefix.


passw (string) – The password that consist of the static yubikey prefix and the otp


True/False and the User-Object of the token owner

Return type


static get_class_info(key=None, ret='all')[source]

returns a subtree of the token definition

  • key (string) – subsection identifier

  • ret (user defined) – default return value, if nothing is found


subsection if key exists or user defined

Return type


static get_class_prefix()[source]
static get_class_type()[source]
is_challenge_request(passw, user=None, options=None)[source]

This method checks, if this is a request, that triggers a challenge.

  • passw (string) – password, which might be pin or pin+otp

  • user (User object) – The user from the authentication request

  • options (dict) – dictionary of additional request parameters


true or false

update(param, reset_failcount=True)[source]

Update the token object


param – a dictionary with different params like keysize, description, genkey, otpkey, pin


param: dict