| Subject: | internal checks break YubiKey's dvorak support |
When a user has a YubiKey key plugged into a computer using a Dvorak keyboard, the YubiCo server notices this and compensates. It returns the otp qwerty-corrected in its response, but then Auth::YubiKey::Client::Web does this:
if ($self->otp ne $self->request_otp) {
$self->status('ERR_MSG_OTP');
return;
}
The $self->otp returns the dvorak version, so it doesn't eq the version from the server.
You end up with a result where the server said it was okay, but Auth::YubiKey::Client::Web says it knows better. It means users with Dvorak setups can't use a YubiKey with a site that uses Auth::YubiKey::Client::Web.
--
rjbs