Yubikey: Difference between revisions
Create stub: Yubikey |
Major expansion: setup guide, FIDO2, SSH, GPG integration, backup strategy, troubleshooting |
||
| Line 1: | Line 1: | ||
= Yubikey = | |||
[[File:YubiKey-4-keychain-and-nano.png|thumb|right|200px|YubiKey 4 - hardware root of trust]] | |||
== | '''YubiKey''' is a hardware security key that provides phishing-resistant authentication. Essential for protecting high-value accounts against credential theft. | ||
* Setup and | |||
* FIDO2/WebAuthn | == Why Hardware Keys == | ||
* GPG | |||
Passwords can be phished. SMS codes can be intercepted. TOTP apps can be cloned. Hardware keys '''cannot be remotely stolen''' - an attacker needs physical possession. | |||
{| class="wikitable" | |||
! Method !! Phishing Resistant !! Remote Theft !! Usability | |||
|- | |||
| Password only || No || Yes || Easy | |||
|- | |||
| SMS 2FA || No || Yes (SIM swap) || Easy | |||
|- | |||
| TOTP (Authenticator) || No || Possible (malware) || Medium | |||
|- | |||
| '''Hardware Key''' || '''Yes''' || '''No''' || Easy | |||
|} | |||
== Which YubiKey == | |||
'''Recommended:''' YubiKey 5 NFC ($50) | |||
* USB-A + NFC for phone tap | |||
* Supports FIDO2, PIV, OpenPGP, OTP | |||
'''For USB-C only:''' YubiKey 5C NFC ($55) | |||
'''Budget option:''' Security Key NFC ($25) | |||
* FIDO2 only (no PIV/OpenPGP) | |||
* Still excellent for most users | |||
'''Always buy two.''' Register both everywhere. Keep backup in secure location. | |||
== Initial Setup == | |||
=== Install YubiKey Manager === | |||
<pre> | |||
# macOS | |||
brew install ykman | |||
# Debian/Ubuntu | |||
sudo apt install yubikey-manager | |||
# Verify key is detected | |||
ykman info | |||
</pre> | |||
=== Set PIN === | |||
<pre> | |||
# Set FIDO2 PIN (required for passwordless) | |||
ykman fido access change-pin | |||
# Set PIV PIN (for certificates) | |||
ykman piv access change-pin | |||
</pre> | |||
'''Default PINs:''' FIDO2 has none, PIV default is 123456 | |||
== FIDO2/WebAuthn Setup == | |||
Modern passwordless authentication. Register your key with supported services: | |||
=== Google/Gmail === | |||
# Security → 2-Step Verification → Security Keys | |||
# Add Security Key → USB/NFC | |||
# Insert key and tap when prompted | |||
# '''Register backup key immediately''' | |||
=== GitHub === | |||
# Settings → Password and authentication → Two-factor authentication | |||
# Security keys → Register new security key | |||
# Follow prompts | |||
=== Microsoft/Azure === | |||
# Security → Advanced security options → Add a new way to sign in | |||
# Use a security key | |||
=== 1Password === | |||
Settings → Security → Two-Factor Authentication → Security Keys | |||
=== Other Services === | |||
Most modern services support FIDO2. Look for "Security Keys" or "Hardware Keys" in security settings. | |||
== SSH Authentication == | |||
=== Resident Keys (FIDO2) === | |||
Modern approach - key stored on YubiKey: | |||
<pre> | |||
# Generate resident SSH key | |||
ssh-keygen -t ed25519-sk -O resident -O verify-required -C "yubikey-main" | |||
# Key is stored ON the YubiKey | |||
# Export public key for authorized_keys | |||
ssh-keygen -K # Downloads from key | |||
# Add to remote server | |||
ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user@server | |||
</pre> | |||
'''Flags explained:''' | |||
* <code>-O resident</code>: Store key on device (not just reference) | |||
* <code>-O verify-required</code>: Require PIN + touch for each use | |||
=== PIV-based SSH === | |||
Traditional approach using X.509 certificates: | |||
<pre> | |||
# Generate key in PIV slot 9a | |||
ykman piv keys generate 9a pubkey.pem | |||
# Create self-signed certificate | |||
ykman piv certificates generate --subject "CN=SSH Key" 9a pubkey.pem | |||
# Export public key for SSH | |||
ssh-keygen -D /usr/local/lib/libykcs11.dylib -e > yubikey.pub | |||
# Use with ssh | |||
ssh -I /usr/local/lib/libykcs11.dylib user@server | |||
</pre> | |||
== GPG Integration == | |||
Use YubiKey as a smartcard for [[PGP]] operations: | |||
=== Move Keys to Card === | |||
<pre> | |||
# Edit your key | |||
gpg --edit-key YOUR_KEY_ID | |||
# For each subkey, move to card | |||
gpg> key 1 | |||
gpg> keytocard | |||
# Select appropriate slot (signature, encryption, or authentication) | |||
gpg> save | |||
</pre> | |||
=== Slots === | |||
* '''Signature (1):''' For signing | |||
* '''Encryption (2):''' For decryption | |||
* '''Authentication (3):''' For SSH auth via GPG | |||
=== Configure GPG Agent for SSH === | |||
Add to <code>~/.gnupg/gpg-agent.conf</code>: | |||
<pre> | |||
enable-ssh-support | |||
pinentry-program /usr/bin/pinentry-mac # or appropriate for your OS | |||
</pre> | |||
Add to shell profile: | |||
<pre> | |||
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) | |||
gpgconf --launch gpg-agent | |||
</pre> | |||
== TOTP Backup == | |||
YubiKey can store TOTP seeds (like Google Authenticator): | |||
<pre> | |||
# Add TOTP account (using Yubico Authenticator app) | |||
# Or via CLI: | |||
ykman oath accounts add -t "Service Name" SEED_SECRET | |||
# Generate code | |||
ykman oath accounts code "Service Name" | |||
</pre> | |||
'''Note:''' YubiKey 5 stores up to 32 TOTP accounts. Requires touch for each code. | |||
== Static Passwords == | |||
For services that don't support 2FA, store a complex password: | |||
<pre> | |||
# Configure slot 2 for static password | |||
ykman otp static --keyboard-layout US 2 | |||
# Long-press generates the password | |||
</pre> | |||
'''Use sparingly''' - this is a fallback, not primary security. | |||
== Backup Strategy == | |||
'''Critical:''' Always have a backup authentication method. | |||
# '''Two YubiKeys:''' Register both everywhere | |||
# '''Backup codes:''' Store encrypted/offline | |||
# '''Recovery email:''' Separate, secured account | |||
# '''Document everything:''' Which key is registered where | |||
=== Recovery Procedure === | |||
If primary key is lost: | |||
# Use backup key to access accounts | |||
# Revoke lost key from all services | |||
# Order replacement | |||
# Register replacement as new backup | |||
== Troubleshooting == | |||
=== Key Not Detected === | |||
<pre> | |||
# Check USB connection | |||
ykman info | |||
# Reset USB stack (macOS) | |||
sudo launchctl stop com.apple.usbd; sudo launchctl start com.apple.usbd | |||
# Check permissions (Linux) | |||
# Add udev rules: /etc/udev/rules.d/70-yubikey.rules | |||
</pre> | |||
=== Wrong PIN Too Many Times === | |||
<pre> | |||
# FIDO2 locks after 8 attempts - must reset | |||
ykman fido reset # WARNING: Destroys all FIDO credentials | |||
# PIV locks after 3 attempts | |||
# Use PUK to unblock, or reset PIV application | |||
</pre> | |||
=== NFC Not Working === | |||
* Remove phone case | |||
* Move slowly across NFC area | |||
* Some phones have NFC at top, some at center | |||
== Security Considerations == | |||
'''Physical Security:''' Anyone with your key AND PIN can authenticate as you. | |||
'''Travel:''' Consider leaving backup key at home. Some border crossings may require unlocking devices. | |||
'''Touch Requirement:''' Enable touch for operations - prevents malware from silently using key. | |||
'''Firmware:''' Cannot be updated. Old keys may lack features but remain secure for their supported protocols. | |||
== Related == | |||
* [[PGP]] - Encrypted communications | |||
* [[Threat Modeling]] - Security planning | |||
* [[SSH]] - Secure remote access | |||
* [[Digital Security Incident Runbook]] - When things go wrong | |||
== References == | |||
* [https://developers.yubico.com/Developer_Program/WebAuthn_Starter_Kit/ Yubico WebAuthn Documentation] | |||
* [https://github.com/drduh/YubiKey-Guide drduh's YubiKey Guide] - Comprehensive GPG setup | |||
[[Category:Digital Security]] | |||
[[Category:Hardware]] | |||
[[Category:Authentication]] | |||
{{Navbox Security}} | {{Navbox Security}} | ||
Latest revision as of 05:35, 15 January 2026
Yubikey
YubiKey is a hardware security key that provides phishing-resistant authentication. Essential for protecting high-value accounts against credential theft.
Why Hardware Keys
Passwords can be phished. SMS codes can be intercepted. TOTP apps can be cloned. Hardware keys cannot be remotely stolen - an attacker needs physical possession.
| Method | Phishing Resistant | Remote Theft | Usability |
|---|---|---|---|
| Password only | No | Yes | Easy |
| SMS 2FA | No | Yes (SIM swap) | Easy |
| TOTP (Authenticator) | No | Possible (malware) | Medium |
| Hardware Key | Yes | No | Easy |
Which YubiKey
Recommended: YubiKey 5 NFC ($50)
- USB-A + NFC for phone tap
- Supports FIDO2, PIV, OpenPGP, OTP
For USB-C only: YubiKey 5C NFC ($55)
Budget option: Security Key NFC ($25)
- FIDO2 only (no PIV/OpenPGP)
- Still excellent for most users
Always buy two. Register both everywhere. Keep backup in secure location.
Initial Setup
Install YubiKey Manager
# macOS brew install ykman # Debian/Ubuntu sudo apt install yubikey-manager # Verify key is detected ykman info
Set PIN
# Set FIDO2 PIN (required for passwordless) ykman fido access change-pin # Set PIV PIN (for certificates) ykman piv access change-pin
Default PINs: FIDO2 has none, PIV default is 123456
FIDO2/WebAuthn Setup
Modern passwordless authentication. Register your key with supported services:
Google/Gmail
- Security → 2-Step Verification → Security Keys
- Add Security Key → USB/NFC
- Insert key and tap when prompted
- Register backup key immediately
GitHub
- Settings → Password and authentication → Two-factor authentication
- Security keys → Register new security key
- Follow prompts
Microsoft/Azure
- Security → Advanced security options → Add a new way to sign in
- Use a security key
1Password
Settings → Security → Two-Factor Authentication → Security Keys
Other Services
Most modern services support FIDO2. Look for "Security Keys" or "Hardware Keys" in security settings.
SSH Authentication
Resident Keys (FIDO2)
Modern approach - key stored on YubiKey:
# Generate resident SSH key ssh-keygen -t ed25519-sk -O resident -O verify-required -C "yubikey-main" # Key is stored ON the YubiKey # Export public key for authorized_keys ssh-keygen -K # Downloads from key # Add to remote server ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user@server
Flags explained:
-O resident: Store key on device (not just reference)-O verify-required: Require PIN + touch for each use
PIV-based SSH
Traditional approach using X.509 certificates:
# Generate key in PIV slot 9a ykman piv keys generate 9a pubkey.pem # Create self-signed certificate ykman piv certificates generate --subject "CN=SSH Key" 9a pubkey.pem # Export public key for SSH ssh-keygen -D /usr/local/lib/libykcs11.dylib -e > yubikey.pub # Use with ssh ssh -I /usr/local/lib/libykcs11.dylib user@server
GPG Integration
Use YubiKey as a smartcard for PGP operations:
Move Keys to Card
# Edit your key gpg --edit-key YOUR_KEY_ID # For each subkey, move to card gpg> key 1 gpg> keytocard # Select appropriate slot (signature, encryption, or authentication) gpg> save
Slots
- Signature (1): For signing
- Encryption (2): For decryption
- Authentication (3): For SSH auth via GPG
Configure GPG Agent for SSH
Add to ~/.gnupg/gpg-agent.conf:
enable-ssh-support pinentry-program /usr/bin/pinentry-mac # or appropriate for your OS
Add to shell profile:
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) gpgconf --launch gpg-agent
TOTP Backup
YubiKey can store TOTP seeds (like Google Authenticator):
# Add TOTP account (using Yubico Authenticator app) # Or via CLI: ykman oath accounts add -t "Service Name" SEED_SECRET # Generate code ykman oath accounts code "Service Name"
Note: YubiKey 5 stores up to 32 TOTP accounts. Requires touch for each code.
Static Passwords
For services that don't support 2FA, store a complex password:
# Configure slot 2 for static password ykman otp static --keyboard-layout US 2 # Long-press generates the password
Use sparingly - this is a fallback, not primary security.
Backup Strategy
Critical: Always have a backup authentication method.
- Two YubiKeys: Register both everywhere
- Backup codes: Store encrypted/offline
- Recovery email: Separate, secured account
- Document everything: Which key is registered where
Recovery Procedure
If primary key is lost:
- Use backup key to access accounts
- Revoke lost key from all services
- Order replacement
- Register replacement as new backup
Troubleshooting
Key Not Detected
# Check USB connection ykman info # Reset USB stack (macOS) sudo launchctl stop com.apple.usbd; sudo launchctl start com.apple.usbd # Check permissions (Linux) # Add udev rules: /etc/udev/rules.d/70-yubikey.rules
Wrong PIN Too Many Times
# FIDO2 locks after 8 attempts - must reset ykman fido reset # WARNING: Destroys all FIDO credentials # PIV locks after 3 attempts # Use PUK to unblock, or reset PIV application
NFC Not Working
- Remove phone case
- Move slowly across NFC area
- Some phones have NFC at top, some at center
Security Considerations
Physical Security: Anyone with your key AND PIN can authenticate as you.
Travel: Consider leaving backup key at home. Some border crossings may require unlocking devices.
Touch Requirement: Enable touch for operations - prevents malware from silently using key.
Firmware: Cannot be updated. Old keys may lack features but remain secure for their supported protocols.
Related
- PGP - Encrypted communications
- Threat Modeling - Security planning
- SSH - Secure remote access
- Digital Security Incident Runbook - When things go wrong
References
- Yubico WebAuthn Documentation
- drduh's YubiKey Guide - Comprehensive GPG setup
| Security & Opsec | |
|---|---|
| Crypto | PGP · PGP Communication Guide · Key Management |
| Incident | Security Incident Runbook · Threat Modeling · Account Recovery |
| Hardware | Flipper Zero · HackRF · Yubikey |
| Culture | Hacker Culture · Operational Security |