I have a question about the security of Yubikey + Password Safe. I have been reading the on this forum and the yubico forum and I am trying to understand how the challenge response process works in Password Safe.
when Yubikey sends the hash-based message authentication code (HMAC) back to Password Safe, this code is always the same? Or is there some randomness in the process (such as a counter or
a random number?)
If it the HMAC is always the same, and Yubikey is basically a USB keyboard, isn't the HMAC vulnerable to keyloggers?
If you do have a keylogger on your PC and if the above is true, it is safe to assume that your master password has been compromised, too.
In other words, can an attacker access a locked database without having the physical object of Yubikey in his hand?