Using your YubiKey#
Notes on installing and setting up your YubiKey 4 (or later) for various platforms and applications.
Introduction#
The YubiKey is a hardware device manufactured by Yubico that provides a hardware "second factor" enabling true two-factor authentication: something you know (your password) and something you have (your YubiKey). It enables you to easily and securely log in to accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device.
Operation#
- Simply plug it into an unused USB port.
- During certain types of authentication you will be prompted on screen to press the inset copper button marked with and (often lit) "Y".
Security Hints#
- If you trust your environment (like at home) you can keep the YubiKey near or even plugged into your computer.
- In low trust environments (coffee shops, hotel rooms, etc.) keep your YubiKey with you at all times (in a pocket or purse). If your computer is compromised, it won't be accessible without the YubiKey that you have on you.
- Do not use SMS text messages for two-factor authentication.
Enable YubiKey TFA for applications#
See also: How to Secure Your Google, Dropbox, and GitHub Accounts With a U2F Key
Lastpass#
This requires a Yubikey token (cover the button for approximately one second) on laptop/desktop to unlock LastPass.
- My Vault -> Account Settings -> Multifactor Options
- Set up one free option (e.g., Google Authenticator) - this is a useful backup
- YubiKey (an easier option) is available when using LastPass Premium ($12/year)
- Select the YubiKey option.
- Insert the YubiKey device into a USB port on your computer.
- Focus your cursor on the "YubiKey #1" field.
- Press the button on the YubiKey device.
- A long string of dots should appear in the YubiKey #1 field.
- Change the "YubiKey Authentication" status to "Enabled"
- Set "Enabled" ==> "Yes"
- Set "Permit Offline Access" ==> "Disallow"
- Press the Update button
- Enter your LastPass master password and press Confirm.
- YubiKey is now enabled for your LastPass account.
- If you have a YubiKey Neo (Bixal Solutions uses the YubiKey 4 model) and your phone supports NFC, you can touch the Neo against your phone to unlock on mobile.
Google#
For each Google account you have:
- Visit https://accounts.google.com/b/0/SmsAuthSettings#devices
- Enable TFA, and complete the phone verification process (phone will act as backup TFA).
- Click on "Security Keys" and follow instructions to add Yubikey.
- Return to the main page and add a second phone and/or print backup codes.
- As long as you have a backup, you can also install the Yubikey Authenticator app, and configure your account to use that for the backup TFA instead of SMS/phone - this is the same as the Google Authenticator app, except that it stores the credentials on your Yubikey instead of the phone.
- If you have funky devices/apps that don't support TFA, you can set an application specific password using that tab. This includes sending E-mail from your personal Gmail account using your bixal.com IMAP, for instance.
Github#
- Visit https://github.com/settings/two_factor_authentication/configure
- Enable TFA, and complete the phone verification process (phone will act as backup TFA).
- Then you can "Register new device" in the "Security keys" section
AWS Root Account#
For each AWS account you have:
- Visit https://console.aws.amazon.com/iam/home?region=us-east-1#security_credential
- Under MFA, add a Virtual MFA device.
- Use Yubikey Authenticator app to scan the QR code, and enter the reponse code, then close and reopen the app and enter the second response code.
AWS IAM Account#
AWS supports the use of a TOTP app, like Google Authenticator, or you can use a U2F Security Key, like a Yubikey. However, they only support one device per account, so you cannot set up a backup MFA device for AWS.
For All MFA Types:
- Login and click your name in the top menu bar.
- Click My Security Credentials in the drop down menu.
- Click on Manage your MFA device.
For TOTP applications:
- Select Virtual MFA device.
- Use Google Authenticator app to scan the QR code, and enter the reponse code
- then close and reopen the app and enter the second response code.
For U2F Security Keys:
- Select U2F security key
- Plug in your Yubikey
- Touch the copper inset button on the Yubikey
Securing your Laptop#
Your laptop should lock (require a password to resume) on screen close and after 15 minutes idle time.
YubiKey Neo U2F Setup#
Some older Yubikeys (like the Neo) need to have U2F (Universal Second Factor) enabled before use. (If you are unsure, ask any IT staff member or on the #general slack channel.)
For these Yubikeys, you may need to install and configure some software that "personalizes" your YubiKey. Note: newer Yubikeys may not require this step.
Install Packages#
Arch#
See also: https://wiki.archlinux.org/index.php/yubikey
pacaur -S perl-net-ldap-server # this is a prerequisite
pacaur -S yubikey-neo-manager-git
Fedora#
See also: https://fedoraproject.org/wiki/Using_Yubikeys_with_Fedora
dnf copr enable jjelen/yubikey-neo-manager
dnf copr enable spartacus06/yubikey-utils
dnf install yubikey-neo-manager yubioath-desktop yubikey-personalization-gui
Ubuntu, Xubuntu#
See also: https://askubuntu.com/questions/720314/how-to-install-yubikey-personalization-tool-on-ubuntu
sudo add-apt-repository ppa:yubico/stable
sudo apt-get update
sudo apt-get install yubikey-neo-manager yubikey-personalization yubikey-personalization-gui
Mac OS X#
Download and install the YubiKey Personalization Tool from the Mac App Store at https://itunes.apple.com/us/app/yubikey-personalization-tool
Personalize your YubiKey#
This allows you to use your Yubikey with Google TFA (new fangled U2F), as well as LastPass (which uses the OTP application).
GNU/Linux command line#
$ neoman
# Enable OTP, U2F, CCID checkboxes if needed, follow instructions to add and remove key.
$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
Mac OSX YubiKey tool#
This should be straightforward, but waiting for a pull request that clearly explains how to:
- Enable
OTP
,U2F
&CCID
- Personalize Configuration Slot 2 with options:
chal-resp
(Set challenge-response mode)chal-hmac
(Generate HMAC-SHA1 challenge responses)hmac-lt64
(Calculate HMAC on less than 64 bytes input)serial-api-visible
(Allow serial number to be read using an API call)
Documentation built with MkDocs using a modified Windmill Dark theme