YubiKey
YubiKey Manager
https://www.yubico.com/support/download/yubikey-manager
Use the YubiKey Manager to configure FIDO2, OTP and PIV functionality on your YubiKey on Windows, macOS, and Linux operating systems. The tool works with any currently supported YubiKey. You can also use the tool to check the type and firmware of a YubiKey. In addition, you can use the extended settings to specify other features, such as to configure 3-second long touch.
HOTP
Interfaces
USB and NFC
Applications:
- OTP - One-Time Password [1]
- Short Touch (Slot 1)
- Long Touch (Slot 2)
- Options:
- Yubico OTP (Default)
- Challenge-response
- Static password
- OATH-HOTP (Good option for 2nd slot)
- FIDO2 - Fast IDentity Online version 2 [2]
- FIDO2 PIN
- PIV - Personal Identity Verification (PIV) [3]
- PIN, PUK, Management Key
- Certificates
Interfaces: (USB and NFC)
- OTP - One-Time Password [4]
- FIDO U2F - Fast IDentity Online / Universal 2nd Factor [5]
- Version 1 of FIDO
- FIDO2 - Fast IDentity Online version 2 [6]
- Version 2 of FIDO
- PIV - Personal Identity Verification (PIV) [7]
- OpenPGP - [8] [9]
- OATH - Open Authentication [10]
Remote Desktop
FIDO2 Passthrough requires Windows version 1903 or Higher.
"WebAuthN requires Windows 10 version 1903 or higher"
Ref:
FIDO2 security key sign-in to Windows - Microsoft Entra ID | Microsoft Learn https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-windows
SSO
OTP/TOTP mode vs PIN+FIDO2 mode
The benefit of FIDO2 is that it verifies the physical USB connection end-to-end, but this also requires end-to-end FIDO2 support.
Compared to traditional MFA methods like SMS codes or TOTP (Time-based One-Time Password), FIDO2 offers higher security by resisting phishing and man-in-the-middle attacks. Methods such as SMS-based codes can be intercepted, and TOTP is susceptible to phishing.
Setup
https://www.yubico.com/setup/
https://docs.yubico.com/software/yubikey/tools/authenticator/auth-guide/yubico-otp.html
https://developers.yubico.com/Developer_Program/Guides/Touch_triggered_OTP.html
macOS
The "Micorosft Remote Desktop" client for macOS does not support FIDO2 WebAuthn, but there is a client available that does called Thincast
Thincast Client
A free Remote Desktop Client for Linux, macOS and Windows. https://thincast.com/en/products/client
Web Authentication (WebAuthn) Use biometric devices or security keys (like Yubico and FIDO2) for authenticating your users in remote desktop sessions.
Web Authentication (WebAuthN) Securely authenticate your users. Thincast Client has built-in support for the WebAuthN virtual channel. It enables secure authentication for users accessing remote desktops and leverages the Web Authentication (WebAuthN) API to provide strong authentication using either biometric data, security keys, or other methods.
ykman
Yubico OTP
- Public ID - 12 Characters (6 Bytes) - modhex value
- Private ID - 12 Characters (6 Bytes) - hex value
- Secret key - 32 Characters (16 Bytes) - hex value
OTP Info
Get slot info
ykman otp info
~$ ykman otp info Slot 1: programmed Slot 2: programmed
Program OTP to Slot 1
Program a Yubico OTP credential to slot 1, using the serial as public id: $ ykman otp yubiotp 1 --serial-public-id
Delete OTP Slot 2
ykman otp delete 2
Example:
~$ ykman otp delete 2 Do you really want to delete the configuration of slot 2? [y/N]: y Configuration slot 2 deleted.
---
Restricted access example:
~$ ykman otp delete 2 Do you really want to delete the configuration of slot 2? [y/N]: y ERROR: Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info).
Change Access Code
ykman otp --access-code $accesscode settings --delete-access-code $slot --force
ykman otp --access-code 000028629609 settings --delete-access-code 2 --force
Reference: https://support.yubico.com/s/article/Removing-a-configuration-protection-access-code
Access Codes
https://support.yubico.com/s/article/Removing-a-configuration-protection-access-code
If you do not know the access code
The short answer is -- you can't. The purpose of setting access codes is to prevent others from deleting a credential from the slot(s) or programming a different credential.
keywords
- ↑ https://docs.yubico.com/yesdk/users-manual/application-otp/otp-overview.html
- ↑ https://docs.yubico.com/yesdk/users-manual/application-fido2/fido2-overview.html
- ↑ https://docs.yubico.com/yesdk/users-manual/application-piv/piv-overview.html
- ↑ https://docs.yubico.com/yesdk/users-manual/application-otp/otp-overview.html
- ↑ https://docs.yubico.com/yesdk/users-manual/application-u2f/fido-u2f-overview.html
- ↑ https://docs.yubico.com/yesdk/users-manual/application-fido2/fido2-overview.html
- ↑ https://docs.yubico.com/yesdk/users-manual/application-piv/piv-overview.html
- ↑ https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP
- ↑ https://developers.yubico.com/PGP/
- ↑ https://docs.yubico.com/yesdk/users-manual/application-oath/oath-overview.html