diff --git a/common.php b/common.php
index d46b481..624cfde 100644
--- a/common.php
+++ b/common.php
@@ -127,9 +127,9 @@ function decryptOTP($otp, $base_url) {
 function getAuthData($conn, $devId) {
 	$tokenId = modhex2b64($devId);
 	$stmt =
-	  'SELECT id, client_id, counter, sessionUse, low, high, accessed '.
+	  'SELECT id, active, client_id, counter, sessionUse, low, high, accessed '.
 	  'FROM yubikeys '.
-	  'WHERE active AND tokenId='.mysql_quote($tokenId);
+	  'WHERE tokenId='.mysql_quote($tokenId);
 	$r = query($conn, $stmt);
 	if (mysql_num_rows($r) > 0) {
 		$row = mysql_fetch_assoc($r);
@@ -139,6 +139,13 @@ function getAuthData($conn, $devId) {
 	return null;
 } // End getAuthData
 
+function addNewKey($conn, $devId) {
+	$tokenId = modhex2b64($devId);
+	$stmt = 'INSERT INTO yubikeys (client_id, active, created, tokenId, counter) '.
+	  'VALUES (1, true, NOW(), ' . mysql_quote($tokenId) . ', 0)';
+	$r = query($conn, $stmt);
+}
+
 // $clientId: The decimal client identity
 function getClientData($conn, $clientId) {
 	$stmt =
diff --git a/verify.php b/verify.php
index c89cce8..920a3c9 100644
--- a/verify.php
+++ b/verify.php
@@ -82,12 +82,22 @@ debug($otpinfo);
 //
 $devId = substr($otp, 0, strlen ($otp) - TOKEN_LEN);
 $ad = getAuthData($conn, $devId);
+if (!is_array($ad)) {
+	debug('Discovered Yubikey ' . $devId);
+	addNewKey($conn, $devId);
+}
+$ad = getAuthData($conn, $devId);
 if (!is_array($ad)) {
 	debug('Invalid Yubikey ' . $devId);
 	sendResp(S_BAD_OTP);
 	exit;
 }
 debug($ad);
+if ($ad['active'] != 1) {
+	debug('De-activated Yubikey ' . $devId);
+	sendResp(S_BAD_OTP);
+	exit;
+}
 
 //// Check the session counter
 //