Require Yubikey Authentication

"I want the use of Yubikey to be the only way a user can authenticate."

I second this.

I was hoping the yubikey could be required in addition to the drupal username & password for increased security. Does anyone still maintain this module?

Should be merged with Swekey USB key authentication? - http://drupal.org/project/swekey

But I see one has to buy the USB for $20 and that is a big problem for 3rd world countries and (low income) student activists...

Maybe then integrate with other log in security modules?

I see that Safer Login currently is maintained - http://drupal.org/project/safer_login

I am sorry that I didn't see this issue guys.

1. There is currently a setting to require a password in addition to the yubikey, but not to require the yubikey in addition to the password. Basically, this allows for user selection via yubikey, but nothing else. I will look into making a two-factor login requirement. To add the ability to require a password if the yubikey login is used, go to /user//yubikey

2. I will also investigate a way to disable username/password logins if yubikey is enabled.

3. I don't think this should be merged with USB authentication, as the mechanisms are quite different.

This is a must for me. I'm not using the Yubikey for quick logins I'm using it for it's added security. What is the point in spending the money and time to do hardware authentication when it can be bypassed and a hacker can brute force the password. There would be a security improvement by just disabling password auth and going Yubikey only, but I prefer two factor.

Also I would like to hide as much as possible that the Yubikey module is installed. This provides a security by obscurity layer so script kiddies can't just add a if yubikey.js then brute force yubikey.

I was thinking about hacking this myself into a simple module, but had too many questions and was going to look into it at DrupalCon Chicago.

I was looking at safer_login module and in its code they bypass the login. Check out safer_login_form_alter and safer_login_validate from safer_login.module that was going to be my starting point.

I agree that this can't be merged it's Yubico OTP implementation is to unique.

Right now I'm too busy to hack on this. Will probably be two weeks or more until I can. I would love to help test and will patch when I can.

I hacked at your module, but it ended up being a fork as it lost compatibility and functionality to meet my goals. Would you be interested in a sub-module? I would be happy to maintain it.

It hides every trace but the access denied errors when trying to access user/123/yubikey_2factor or admin/settings/yubikey_2factor. Removes all hidden yubikey refrences in the code to anonymous users.

Totally overrides the login validation allowing it to check if the user has a yubikey registered and forcing them to use it if they have one. When installed it breaks every other login related module, but in many installs I can think of this would be desired as it improves the security of the content of the site.

Once configured login with your username and for the password enter your-password:your-yubikeyOTP forgot to include in this readme.

Still todo:
*Allow configuration of help text shown to users when adding yubikey. If employees need to go to the help desk to get a yubikey they can include that there without code changes.
*Allow multiple users to use the same yubikey
*Requires yubikeyid-uid@yubikey_2factor to keep unique on authname in authmap table functional so admin and a user can share a yubikey, idealy with a diffrent password. This will keep me from carrying more than one which although less secure keeps my keyring light and small.
*Format the authmap like yubikeyid@yubikey_2factor or similar to keep proper use from http://drupal.org/node/920908

I hope to finish my todo list in the next few days but please give me your thoughts. I will create a new issue for submodule when it is ready and better tested. Would this start to help fix the require OTP?

Look at #1055686: Merge with YubiCo Project it does exactly what you want just needs merged. I'm marking this as a duplicate as the merge will fix this issue.