"Passcode has already been used."


This post is a follow-on to this one, in case you need some history.

I’ll try to keep this short and sweet. So… I had my university ITS program the second slot on my Yubikey Plus (you might not be familiar with that model, but it dates from roughly 2014 and supports OTP and U2F). The Duo-based university central auth system supports Yubikey OTP. After my token was programmed and registered, I tried it out. The first login, it worked like a charm. The second time, I get a message:

This passcode has already been used. Please generate a new passcode and try again.

Tried different browser and different university web site to login to, and keep getting this error.
University ITS says they can’t help me now - don’t know what’s wrong and can’t be bothered to find out, because they are basically doing me a favor by letting me bring my own token, whereas normal policy is to only sell tokens that they buy from Yubico and program fresh for users who need them.

Forum, you are my last hope :slight_smile: Unless you can tell me how to tell them how to fix this problem, I’m probably stuck continuing to use the phone app for 2FA, which is a hassle for anyone accustomed to hardware tokens. I realize that it might ultimately be related to the fact that my Plus is so old that something has changed, and it just won’t work no matter what. But not gonna buy a new token from them, because they have a bunch of Y4s that they probably won’t run out of for quite a while. At least if they were selling the new Y5s for the same price, I would consider it :slight_smile: Thanks for reading.


If you open some text editor and tap the key a few times, is it outputting unique 44 char OTPs?


Hi again :slight_smile: Yes… it is outputting what look like always-differing strings of lower-case letters (and only lower case letters), length 44. They appear random, but on closer inspection, there is a 12-byte prefix at the beginning that never changes.
And to be absolutely accurate, it’s not when I tap the key, but hold it for 1-2 seconds, because I was told that the second slot is being used.


I’m at a loss… it sounds like it was programmed the right way for OATH-HOTP. If you could convince ITS to initiate a case our support team could take a look. :frowning:

(the static 12 char prefix is expected)


:worried: OK, I’ll talk to them about opening a case… thanks again.