YubiKey: Difference between revisions

YubiKey Manager

https://www.yubico.com/support/download/yubikey-manager

Use the YubiKey Manager to configure FIDO2, OTP and PIV functionality on your YubiKey on Windows, macOS, and Linux operating systems. The tool works with any currently supported YubiKey. You can also use the tool to check the type and firmware of a YubiKey. In addition, you can use the extended settings to specify other features, such as to configure 3-second long touch.

HOTP

Interfaces

USB and NFC

Applications:

• OTP - One-Time Password ^[1]
  • Short Touch (Slot 1)
  • Long Touch (Slot 2)
  • Options:
    • Yubico OTP (Default)
    • Challenge-response
    • Static password
    • OATH-HOTP (Good option for 2nd slot)
• FIDO2 - Fast IDentity Online version 2 ^[2]
  • FIDO2 PIN
• PIV - Personal Identity Verification (PIV) ^[3]
  • PIN, PUK, Management Key
  • Certificates

Interfaces: (USB and NFC)

• OTP - One-Time Password ^[4]
• FIDO U2F - Fast IDentity Online / Universal 2nd Factor ^[5]
  • Version 1 of FIDO
• FIDO2 - Fast IDentity Online version 2 ^[6]
  • Version 2 of FIDO
• PIV - Personal Identity Verification (PIV) ^[7]
• OpenPGP - ^{[8] [9]}
• OATH - Open Authentication ^[10]

Remote Desktop

FIDO2 Passthrough requires Windows version 1903 or Higher.

"WebAuthN requires Windows 10 version 1903 or higher"

Ref:

FIDO2 security key sign-in to Windows - Microsoft Entra ID | Microsoft Learn
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-windows

SSO

OTP/TOTP mode vs PIN+FIDO2 mode

The benefit of FIDO2 is that it verifies the physical USB connection end-to-end, but this also requires end-to-end FIDO2 support.

Compared to traditional MFA methods like SMS codes or TOTP (Time-based One-Time Password), FIDO2 offers higher security by resisting phishing and man-in-the-middle attacks. Methods such as SMS-based codes can be intercepted, and TOTP is susceptible to phishing.

Setup

https://www.yubico.com/setup/

https://docs.yubico.com/software/yubikey/tools/authenticator/auth-guide/yubico-otp.html

https://developers.yubico.com/Developer_Program/Guides/Touch_triggered_OTP.html

macOS

The "Micorosft Remote Desktop" client for macOS does not support FIDO2 WebAuthn, but there is a client available that does called Thincast

Thincast Client

A free Remote Desktop Client for Linux, macOS and Windows.
https://thincast.com/en/products/client

Web Authentication (WebAuthn)
Use biometric devices or security keys (like Yubico and FIDO2) for authenticating your users in remote desktop sessions.

Web Authentication (WebAuthN)
Securely authenticate your users.
Thincast Client has built-in support for the WebAuthN virtual channel. It enables secure authentication for users accessing remote desktops and leverages the Web Authentication (WebAuthN) API to provide strong authentication using either biometric data, security keys, or other methods.

ykman

OTP Info

Get slot info

ykman otp info

~$ ykman otp info
Slot 1: programmed
Slot 2: programmed

Delete OTP Slot 2

ykman otp delete 2

Example:

~$ ykman otp delete 2
Do you really want to delete the configuration of slot 2? [y/N]: y
Configuration slot 2 deleted.

---

Restricted access example:

~$ ykman otp delete 2
Do you really want to delete the configuration of slot 2? [y/N]: y
ERROR: Failed to write to the YubiKey. Make sure the device does not have restricted access (see "ykman otp --help" for more info).

Access Codes

https://support.yubico.com/s/article/Removing-a-configuration-protection-access-code

= If you do not know the access code

The short answer is -- you can't. The purpose of setting access codes is to prevent others from deleting a credential from the slot(s) or programming a different credential.

keywords