Using your YubiKey#

Notes on installing and setting up your YubiKey 4 (or later) for various platforms and applications.

Introduction#

The YubiKey is a hardware device manufactured by Yubico that provides a hardware "second factor" enabling true two-factor authentication: something you know (your password) and something you have (your YubiKey). It enables you to easily and securely log in to accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device.

Operation#

Security Hints#

Enable YubiKey TFA for applications#

See also: How to Secure Your Google, Dropbox, and GitHub Accounts With a U2F Key

Lastpass#

This requires a Yubikey token (cover the button for approximately one second) on laptop/desktop to unlock LastPass.

Google#

For each Google account you have:

Github#

AWS

AWS Root Account#

For each AWS account you have:

AWS IAM Account#

AWS supports the use of a TOTP app, like Google Authenticator, or you can use a U2F Security Key, like a Yubikey. However, they only support one device per account, so you cannot set up a backup MFA device for AWS.

AWS Account Menu

For All MFA Types:

AWS MFA device selection dialog

For TOTP applications:

For U2F Security Keys:

Securing your Laptop#

Your laptop should lock (require a password to resume) on screen close and after 15 minutes idle time.

YubiKey Neo U2F Setup#

Some older Yubikeys (like the Neo) need to have U2F (Universal Second Factor) enabled before use. (If you are unsure, ask any IT staff member or on the #general slack channel.)

For these Yubikeys, you may need to install and configure some software that "personalizes" your YubiKey. Note: newer Yubikeys may not require this step.

Install Packages#

Arch#

See also: https://wiki.archlinux.org/index.php/yubikey

pacaur -S perl-net-ldap-server    # this is a prerequisite
pacaur -S yubikey-neo-manager-git

Fedora#

See also: https://fedoraproject.org/wiki/Using_Yubikeys_with_Fedora

dnf copr enable jjelen/yubikey-neo-manager
dnf copr enable spartacus06/yubikey-utils
dnf install yubikey-neo-manager yubioath-desktop yubikey-personalization-gui

Ubuntu, Xubuntu#

See also: https://askubuntu.com/questions/720314/how-to-install-yubikey-personalization-tool-on-ubuntu

sudo add-apt-repository ppa:yubico/stable
sudo apt-get update
sudo apt-get install yubikey-neo-manager yubikey-personalization yubikey-personalization-gui

Mac OS X#

Download and install the YubiKey Personalization Tool from the Mac App Store at https://itunes.apple.com/us/app/yubikey-personalization-tool

Personalize your YubiKey#

This allows you to use your Yubikey with Google TFA (new fangled U2F), as well as LastPass (which uses the OTP application).

GNU/Linux command line#

$ neoman
# Enable OTP, U2F, CCID checkboxes if needed, follow instructions to add and remove key.

‚Äč$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible

Mac OSX YubiKey tool#

This should be straightforward, but waiting for a pull request that clearly explains how to:



Edit on GitHub

Documentation built with MkDocs using a modified Windmill Dark theme