Add keyboard input method to paste OTP directly

[jas4711]

One idea is that if we make this app an keyboard input method, it would be able to paste OTPs directly into where the cursor is when the YubiKey NEO is swiped against a device.

[dainnilsson]

Unfortunately this isn't very straight forward at all. To be able to inject text the app has to be the default input method for the device. It seems unlikely that users will want to switch from the keyboard of their choice to use YubiClip as a keyboard, and we're not interested in writing an Android keyboard ourselves.

An alternative may be to trigger some sort of OTP Intent when the YubiKey is scanned, and any keyboard that wishes to may receive that intent together with the OTP. The keyboard can then output the OTP as text. Of course, this will require convincing the keyboard vendors to implement support for this.

[github-0]

Yubiclip copies the OTP to clipboard - are you saying it can't then paste it to where the cursor is placed?

[jas4711]

Yes, we have not found any reasonable mechanism to paste text to where the cursor is in android. The only mechanism we have identified is to implement an input method, but it has usability issues.

If you or anyone knows of other ways to paste characters in android, that would be useful information! There must be a simpler way.

[dainnilsson]

Just to clarify, using the regular paste functionality in Android works. The problem with this is that Android "helpfully" inserts a space before the pasted text. See issue #2 for more information.

[github-0]

I'm guessing that's only a problem when user password and OTP is typed to the same field.

Actually I stumbled here after trying to get the Neo to use static password through NFC. First of all it looks like static password with NFC simply doesn't work (input is gibberish). Secondly, I read that any application can read the Android clipboard, making this method unsecure. Shame.

[LeeteqXV]

Surely the Android devs are aware of these problems? Seems that there is a need for a collaboration with them to solve this, given the time since this issue was first opened.

Google is at the forefront of two-factor/multi-factor security, just have a look at their "forgotten password" process which is quite elegant. They "get" that static passwords are probably not going away, and thus becoming more and more important to secure. With their existing relationship with Yubico, some people "over there" must be aware of this problem.

Now that U2F/Two-factor authentication is finally getting traction, we are starting to shift over to Multi-Factor authentication as more and more people and operators are starting to realize that we will need static passwords AS WELL in multi-factor setups (plus more factors such as biometrics).