YubiKey


The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords, public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols[1] developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device.

Wikipedia


Setup

The YubiKey itself should work out of the box.

Usage

Tested:

Website Firefox (< 90.0.1) Chromium
fastmail.com 2FA working working
demo.yubico.com/webauthn-technical/registration working working
GitLab working working
   

YubiKey: Switch between U2F and OTP modes

It’s best to follow these steps as a root, to avoid issues with device recognition after switching modes:

su - root

Install the Yubikey manager:

$ guix package -i python-yubikey-manager

Verify your device is recognized:

$ ykman list
YubiKey 5 Nano [FIDO] Serial: 109*****

Determine current connection mode:

$ ykman mode
Current connection mode is: FIDO
Supported USB interfaces are: OTP, FIDO, CCID

# for more information
$ ykman info
Device type: YubiKey 5 Nano
Serial number: 109*****
Firmware version: 5.2.4
Form factor: Nano (USB-A)
Enabled USB interfaces: FIDO

Applications
OTP             Disabled
FIDO U2F        Enabled 
OpenPGP         Disabled
PIV             Disabled
OATH            Disabled
FIDO2           Enabled

Switch to OTP

$ ykman mode otp
Set mode of YubiKey to OTP? [y/N]: y

When you touch your YubiKey now, you should get a OTP input (cccccdligrgcdtoqkjsnahtnhfvbhicjbgasdiujesc), to whatever field is selected. Depending on whether you’re using Slot 1 or 2, this happens immideately, or after a 3 seconds delay.

To switch back to FIDO

ykman mode FIDO
Set mode of YubiKey to FIDO? [y/N]: y

Unless not supported, it’s best to stick to FIDO U2F for ease and security.

Troubleshooting

Check if your YubiKey is recognized

$ su - root # login as root
$ dmesg|grep Yubi
[  997.077641] usb 1-4: Product: YubiKey FIDO
[  997.077642] usb 1-4: Manufacturer: Yubico
[  997.079001] hid-generic 0003:1050:0402.0006: hiddev0,hidraw3: USB HID v1.10 Device [Yubico YubiKey FIDO] on usb-0000:00:14.0-4/input0

Check if your browser is working

  1. Go to demo.yubico.com/webauthn-technical/registration
  2. Register your device

PantherX & (unofficial) GNU Guix Wiki.

Last update: 2024-04-21 10:28:03 +0000 | Apache-2.0

Inspired by the excellent Arch Linux Wiki