DISCLAIMER U2F should be used when possible because it is significantly safer than any other alternative. The only reason I’m using TOTP rather than U2F, is because Amazon Web Services does not support 2 MFA devices attached to the same user, and their AWS CLI does not support U2F yet. Basically, you can use U2F to access the web console, but forget about using U2F when running CLI commands in the terminal (and for me, this is not acceptable). What is a YubiKey The YubiKey is a small hardware authentication device, created by Yubico, that supports a wide range of authentication protocols. It’s a USB key (some versions support USB-A, some USB-C and the latest versions even support NFC) with a LED and a button_._ Seems like the YubiKey 4 with firmwares between 4.2.6 and 4.3.4 had a security vulnerability that would allow an attacker to reconstruct the private key using the public key. You can read more about this and . NOTE: here here USB interfaces Yubico call these and each one of them supports one or multiple modes/protocols. USB interfaces This interface only supports the protocol. FIDO: U2F This interface has 2 slots (short-press and long-press). Each one of them can be configured and used as: or . By default, a Yubico OTP is preconfigured in the first slot. OTP: OATH-HOTP, Yubico OTP, Challenge-Response Static password This is the interface allowing the key to act as a Smart Card. It supports up to and . CCID: 32 OATH-TOTP/OATH-HOTP codes, PIV OpenPGP U2F An open authentication standard enabling strong two-factor authentication to any number of web-based applications, such as Gmail, Salesforce, Amazon Web Services, Twitter and hundreds more services. U2F is the recommended two factor method. It is phishing resistant unlike TOTP/Google Authenticator and it is much harder to compromise than SMS/Voice call methods. It doesn’t require any software or drivers. It works in Chrome by default and in Firefox (you would need to change a config flag). Read more about . FIDO U2F Smart Card (PIV) Smart cards contain a chip that brokers data exchanges. These same features are contained in the YubiKey 4 and 5 Series, based on the industry standard Personal Identity and Verification Card (PIV) interface over the CCID protocol, which supports PIV on a USB interface. Yubico OTP The YubiKey generates an encrypted password for one-time use. Hackers require physical access of your YubiKey to generate the OTP. This is the weird string you will get if you touch your YubiKey when focused on a text input. OpenPGP In the physical world, documents and data are often validated with a signature. In the virtual world, OpenPGP is a standards-based public key cryptography for signing, encrypting, and decrypting texts, e-mails, files, etc. Static password A basic YubiKey feature, that generates a 38-character static password compatible with any application log-in. It is most often used with legacy systems that cannot be retrofitted to enable other two-factor authentication schemes, such as pre-boot login. NOTE: This mode is vulnerable to keyloggers, so it should be avoided when possible. OATH-TOTP/OATH-HOTP The key generates a 6 or 8 character OTP (or one-time password) for logging into any service that supports either OATH-TOTP or OATH-HOTP. The difference between OATH-TOTP and OATH-HOTP is the former is time based, meaning a new password is generated at a set time interval, typically every 30 seconds. The latter is event based, meaning a new one-time password is generated for each event. Challenge-Response The Challenge-Response method is best suited for offline validations. Use for Windows, Mac, and Linux computer login. USB Interfaces and the different modes supported Which interface will be used? For our purposes, we will use the because it allows to store up-to 32 OATH-TOTP/OATH-HOTP entries. If we only care about a single OATH-HOTP provider, we could use the OTP interface. However, both Google Authenticator and Authy are both TOTP based. CCID interface Set-up (GNU/Linux) Ensure the PC/SC Smart Card Daemon is running (or pcscd) is a service designed to interact with Smart Cards. PC/SC Smart Key Daemon I’m running Arch Linux (I couldn’t hold it anymore :P) so I will be using to start/enable the pcscd service. systemctl pcscd status Start and enable pcscd.service Install YubiKey Manager CLI tool On Arch Linux you just need to run . After the installation is finished, you should be able to run to retrieve details from your key. sudo pacman -S yubikey-manager ykman info We’re only interested in the CCID interface, so we could chose to disable OTP and FIDO with the following command but it’s not required. ykman mode "CCID" Using your YubiKey 4 with different providers When you use Google Authenticator or Authy in your phone, you have to scan a QR code using your camera, however as it’s obvious, you cannot do that with your YubiKey. Instead, you will have to get a and pass it to the YubiKey using the tool previously installed. To add 2FA/MFA for a service using this tool, you need to provide both the aforementioned key and an identifier to help you identify your service/account later. Base32 key ykman ykman oath add -t <SERVICE_NAME> <YOUR_BASE32_KEY> The flag indicates you will need to touch your key in order to get the 6-digit code later. This is recommended to prevent malware to generate codes without any user intervention. -t After running the previous command, you should now be able to generate a 6-digit code running again. ykman ykman oath code <SERVICE_NAME> It will ask you to touch your YubiKey, and then display the code in the screen. GitHub Go to your user settings > Security and click on “Enable two-factor authentication”. In the next screen, you need to select “Set up using an App” when prompted. After this, you will get to a screen where you can download a set of security codes in case you lose or break you MFA device and you cannot log in. As far as I know, this is something not every service has implemented, and in some of them, if you lose the key…that’s the end. Once you get to the screen with the QR code, you will need to click on the link that says “enter this text code” and a modal with your Base32 key will open. You can configure your key with the following command: ykman oath add -t github.com <YOUR_BASE_32_KEY> After this you need to run to get your 6-digit code and complete the 2FA set up. ykman oath code github.com AWS (IAM Users, not root account) After login, go to IAM > Users and click in your user name. Then you need to click on the “Security credentials” tab. Security credentials tab As you can see, there is no MFA device assigned, so to assign one, just click Manage. In the next screen, select “Virtual MFA device”. Setting up a MFA device Here you can choose to show the QR code or to show the secret key. For our purposes, we want the secret key only. Then you can run to configure AWS MFA: ykman ykman oath add -t aws-username <YOUR_BASE_32_KEY> And then run twice, to get a couple 6-digit codes and complete the set up. ykman oath code aws-username MFA has been set up correctly GitLab Go to your user settings > Account and select “Enable two-factor authentication. In the next screen you will see the QR code, and a bit of text at the right. This contains your Base32 key. You will need to remove the spaces before using the key with . NOTE: ykman After getting the key, the process is exactly the same than GitHub. First you need to configure GitLab in your YubiKey, running the following command. ykman oath add -t gitlab.com <YOUR_BASE_32_KEY> After this, just run to get your 6-digit code and complete the 2FA set up. ykman oath code gitlab.com EXTRA STUFF! Simplify your workflow using fzf If you are a heavy-CLI user and don’t know you should stop reading this and go or . fzf here here ykman oath code $(ykman oath list | fzf) Using we can get a list of the different services configured with the key. The way this command works, is: ykman oath list Passes the output of to . ykman oath list fzf You select which service you want to authenticate against and press enter. will ask for you to touch the key, and will output the right 6-digit code associated to the previously selected service. ykman You can see this in action . here Use Yubico Authenticator instead of ykman to get the 6-digit codes If you don’t want to use to get your 6-digit codes, you can also choose to use (a GUI based tool). ykman Yubico Authenticator In my case I had to install from the Arch User Repository (AUR). [yubico-yubioath-desktop](https://aur.archlinux.org/packages/yubico-yubioath-desktop/) OOOPS! I need to insert the key List of services using YubiKey Touch your YubiKey and you will see a 6-digit code for the selected service DONE!

Amazon

Google

Salesforce

Twitter

Too Long; Didn't Read

Questions about cloud security? Get answers here.

Use a YubiKey as a MFA device to replace Google Authenticator

Too Long; Didn't Read

Companies Mentioned

Daniel Siguero

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Use a YubiKey as a MFA device to replace Google Authenticator

Too Long; Didn't Read

Companies Mentioned

Daniel Siguero

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES