Alexander Savin blog

Eng/Ru
07 Apr 2015

Yubikey - no password required

Yubikey is a tiny USB device with a single button. Once you plug it into computer, it will pretend to be a USB keyboard. When you press (the) button, it will output a seemingly random string of characters into selected input field.

It can also let you to forget all passwords and keep your memory cells occupied with more important stuff. Like birthday date of your spouse or when is the next episode of Silicon Valley.

Here's my personal experience of using Yubikey for a week. It will probably lack some details like security algorithms used by Yubikey internals. But you should get pretty good idea on what it is and if it's of any use to you.

The very basic and highly promoted use case of Yubikey goes like this:

  • You activate 2-step authentication on Gmail
  • Once Gmail require you to authenticate, you type in your usual user/pass combo, and then plug in Yubikey
  • Yubikey generates one-time password (OTP), which is then approved by Gmail

At this point you might say that there is Google Authenticator app for generating OTP:s, and you're using it already. The difference is that you a) need a phone for that, and b) OTP generated by Yubikey is so much more stronger. And, unlike codes via SMS messages, it doesn't require any cellular coverage.

The very first thing I did after getting my Yubikey Basic Standard key is opened Google Account Security settings, went on to the 2-step verification tab and tried to add new hardware security key. To my great surprise, Yubikey wasn't recognised by Google. Few minutes of reading documentation produced following important details:

  • It only supported by Chrome browser
  • Your key must be compatible with a special protocol called FIDO U2F (which can be checked by presence of a golden key logo on a button)

Turned out Yubikey Standard wasn't compatible with FIDO U2F. "Bummer", I thought, "What a useless piece of hardware".

That was the first lesson - not all Yubikeys are created equal. To be completely fair, if you read on into the spec matrix, there is a row titled "Google Accounts Compatible". And there is a special version of Yubikey that supports only FIDO U2F and is cheapest of them all.

"So what is this thing and what can it do?" I asked the Universe and delved into documentation.

Most important discovery was free app, provided by Yubico and called YubiKey Personalization Tool. It is available for both Mac and Windows, and once you have it, the world of possibilities is suddenly open. It'll also unleash tons of security specific terms on you - the very top level of choices will be: Yubico OTP (you can probably guess what it is by now), OATH-HOTP (tricky), Static Password (guessable), Challenge-Response (no idea), as well as extra settings and tools.

You'll also discover that Yubikey Standard has 2 programmable slots. First slot will be pre-programmed to produce one time passwords, and second slot will be waiting for your decisions to make it whatever you think it should be.

Let's go back to the Yubico one-time-password option for a moment. Yubico wants web developers to easily enable 2-step authentication for their online apps. It works via something called Yubico Cloud. Once you generate OTP string from the key, it is submitted to Yubico, which respond with either yaarp or naarp, thus letting the app know if the authentication was successful.

The key moment here is Yubico Cloud. In order to authenticate your key, it needs your, well, virtual key (string of characters), stored in the hardware key. By default everything is pre-generated, key is uploaded to Yubico Cloud and ready to use. You are free to regenerate private keys for OTP feature, which might be a good idea if the hardware key was compromised during delivery. After generating new pair of keys, you can use the same app to upload keys to Yubico.

Once again, to be completely fair, you don't have to tie yourself to Yubico Cloud servers. There are open source options to host your very own verification server.

Another easy win is static password feature. Yubikey can be programmed to simply output up to 38 characters - or actually scan codes, since it pretends to be a keyboard. I ended up programming strong static password into slot 2, and it is now available with long tap on the button.

Here is a full guide how to trigger slots on your Yubikey:

  • Slot 1: short tap on the button
  • Slot 2: long tap (2-3 sec) on the button

What else can you do with strong static password? Well, you can follow advice of this guy and protect your 1Password app with a 2-part master password, consisting of strong part stored on the hardware key, and easy part stored in your memory. This way you will end up not knowing the full password to unlock all of your secrets (he still recommends printing full master password out and storing in a safe place). If the key is compromised, the evil party will only get part of the master password. They still might torcher you and get second part of the password, but that's another story.

There is an interesting ongoing discussion on AgileBits forum between users asking for native Yubikey support in 1Password, and devs explaining how Yubikey actually works. Basic argument against having support for Yubikey OTP is that this will require internet connection, and you can use Yubikey anyway for static password by simply activating input field on the screen and pressing button on the key.

I guess, the most exciting thing about Yubikey is that it is fully transparent, reprogrammable and can be used in many different ways. It makes a lot of sense in corporate IT environment, since you can setup your very own authentication cloud and distribute keys to your employees already pre-programmed and ready to use. One thing to remember is that Yubikey doesn't have any internal clock, neither a battery that would power that clock. This is somewhat compensated by a special apps on your computer that can generate timestamps.

And by the way, Fastmail supports Yubikey logins natively.