Yes, with a keylogger watching you you’re typically pretty f-ed. Though that’s also one of the reasons using a physical FIDO token as a second factor is a good idea, since the keylogger isn’t going to be able to steal your private key off the hardware token, unlike for TOTP.

Though that also begs the question, if I can get a keylogger onto your device, why wouldn’t I try to implant something slightly more capable?

> since the keylogger isn’t going to be able to steal your private key off the hardware token, unlike for TOTP

How? I mean how can keylogger get the secret from which TOTPs are being generated?

And why wouldn't some other malware won't be able to read whatever data hardware token inputs? I'm myself yubikey user and would like to know in what ways it is more secure than TOTP, even in the scenario when my workstation gets compromised.

I assumed if someone can install something on my computer, I'm toast.

> How? I mean how can keylogger get the secret from which TOTPs are being generated?

Since it’s time based with a 30 second window, you don’t need to know the secret, you just need to be able to repeat the code as it is typed. It takes more effort because it has to be done in real time, but 30-ish seconds is pretty doable.

> And why wouldn't some other malware won't be able to read whatever data hardware token inputs? I'm myself yubikey user and would like to know in what ways it is more secure than TOTP, even in the scenario when my workstation gets compromised.

The way (most) hardware tokens work, including the Yubikey, the private key is generated on the key and it never leaves the key. When the FIDO challenge/response happens, you relay the server’s challenge to the Yubikeu, it does the private key operation with the onboard chip, and sends back the response for you to relay back to the server. Done this way, your computer never needs to know the private key, but you can still prove you physically own it, which is what the server is trying to verify.

That said, just because they can’t steal your Yubikey’s private key, doesn’t mean they can’t take the bearer token from your computer. In general if your device is compromised it’s game over anyway.

I see private key within Yubikey the same as TOTP secret. Ok, for TOTP it is stored on host, but as you said: "you don’t need to know the secret"

When I press button on yubikey, it pastes some jibberish - way more than 6 chars, but can't THAT token be re-used?

Okay, browsers have some integrations with this stuff so it is not always some kind of a web form where that goes into, so could be a bit more secure.

I'm no security expert, I'm just thinking out loud and hoping someone educate me :)

Yeah, the end result (whatever header value or cookie in browser) is still readable by malware.

> When I press button on yubikey, it pastes some jibberish - way more than 6 chars, but can't THAT token be re-used?

Just to be clear, that's not related to FIDO which I was originally talking about. That's one of the extra OTP features that most Yubikeys come with, but it's unrelated to the Yubikey's FIDO capability.

Assuming that they're the standard SHA-1/30sec TOTP and the keylogger is smart enough to store it, at least two 6-digit codes and their approximate time (https://www.unix-ninja.com/p/attacking_google_authenticator).