YubiKey

This page is about the YubiKey product made by Yubico, and how I use it for logging in to services, with or without passwords.

Devices

I currently own the following devices:

• YubiKey 5C NFC
  • Firmware version = 5.7.1
  • Serial number = 30077530
  • GTIN (the number printed on the back of the cardboard packaging) = 5060408462331
  • Supports up to 100 passkeys and 64 OTP accounts

Note: Firmware version and serial number can be seen in the Yubico Authenticator app and in the output of the ykman command line tool. The firmware version is also visible in the macOS system report when you select the device.

References

• [1] https://www.yubico.com/blog/a-yubico-faq-about-passkeys/
• [2] https://support.apple.com/guide/iphone/use-passkeys-to-sign-in-to-apps-and-websites-iphf538ea8d0/ios
• [3] https://www.yubico.com/ch/product/yubikey-5c-nfc/
• [4] https://yubico.com/start
• [5] https://www.yubico.com/works-with-yubikey/catalog/
• [6] https://www.yubico.com/getting-started/
• [7] https://www.yubico.com/products/yubico-authenticator/
• [8] https://docs.yubico.com/software/yubikey/tools/ykman/
• [9] https://www.yubico.com/resources/glossary/what-is-a-passkey/
• [10] https://support.yubico.com/hc/en-us/sections/360003979540-Troubleshooting

About passkeys

General information

The Yubico FAQ [1] refers to "copyable passkeys" and "hardware bound passkeys". The latter are usually not copyable. Specifically, YubiKey firmware does not allow to read out any of the secrets stored on a YubiKey. Since authentication with a passkey does not reveal the secret, either (unlike e.g. a password login where the YubiKey has to simulate typing the password on a keyboard), a YubKey passkey effectively cannot be backed up. Yubico recommends having a second Yubikey registered as an alternative authentication method, or to have another form of 2FA added to your accounts.

Some thoughts of my own: A copyable passkey is comparable in security to a federated "login with Apple/Google..." combined with 2FA. The passkey itself is the secret that replaces the password, while the hardware device (e.g. iPhone) that performs the passkey authentication can be said to act as the second factor. On the other hand, if the passkey copy is stored in some other place than the hardware device (e.g. in the cloud, or in a password manager) then the password that protects the other place can be seen as a weakness because an attacker might be able to obtain a passkey copy by breaking the password of the copy storage location.

My personal preference:

• I would prefer to have a YubiKey, but the fact that I can’t have a backup discourages that solution. A second YubiKey as backup would be a viable option, security-wise, but the fact that I would have to register two passkeys every time I create a new account is not very user friendly. Also, how can I be sure that the platform where I create an account allows to register multiple passkeys?
• Personally I have more trust in a passkey copy being stored in a VeraCrypt container than the copy being stored somewhere in the cloud. This way I have control over where I store the container. In addition, it makes me independent from the cloud provider. Therefore my second-best solution would be to have a hardware device that allows me to copy the passkey manually. iOS / Apple therefore seems to be **not** the right choice at the moment (see next section).

Passkey support by Apple

According to [2], a passkey on an iPhone is stored in the iCloud Keychain. Authentication with a different device works via a QR code that is then scanned with the iPhone.

General information about working with a YubiKey

Getting started

The product information can be found on [3]. An overview of the first steps is available on [4]. A list of services that support the use of a YubiKey, in one way or another, is available from [5].

An important part of getting started is that YubiKeys with firmware 5.7.0 and later are shipped with NFC disabled, so that the YubiKey is protected against tampering during shipping. To enable (activate) NFC, plug the YubiKey into a computer (or any USB power source) for 3 seconds or more. This is from [6].

Yubico Authenticator

The "Yubico Authenticator" app can be installed via the macOS App Store, or by downloading it from the Yubico website [7]. It provides a friendly GUI to configure some settings and manage the credentials stored on the YubiKey.

ykman / YubiKey Manager

ykman is short for "YubiKey Manager". This is a command line utility provided by Yubico to configure YubiKeys. A full documentation is available at [8], but the --help option is also useful.

Note: There is a GUI for ykman, but Yubico themselves strongly recommend to use the Yubico Authenticator app instead, because that is newer and has more functionality.

Install the tool via Homebrew:

brew install ykman

To list all YubiKeys connected to the computer:

ykman list

Show information about a specific YubiKey identified by its serial number:

ykman --device 30077530 info

Getting macOS to recognize the YubiKey

On my MacBook (16", Nov. 2023, Apple M3 Max processor) with macOS Sonoma (14.6.1) installed, the YubiKey is recognized on the hardware level (create a System Report, then check "Hardware > USB") but is blocked by the OS.

To fix this:

• Open "System Preferences > Privacy & Security"
• Scroll down and click the pop-up menu next to "Allow accessories to connect"
• Select "Automatically when unlocked" and authenticate as administrator

Note: If the YubiKey is plugged in at this moment, a keyboard assistant window will pop up, apparently to set up an external keyboard. You can terminate this without going through the assistant.

From now on the YubiKey should be usable, e.g. it will be seen by Yubico Authenticator or the ykman command line utility.

Configure a PIN

In order to allow setting up a passkey, you have to configure the YubiKey with a PIN. Although I couldn't find a reference to this, I have been unable to set up any passkey until I set a PIN.

Use the YubiCo Authenticator to set a PIN:

• Launch
• Select "Passkeys"
• On the right select the option to set a PIN (aka "FIDO2 PIN")

How to set up a passkey

General procedure

The general procedure is that each and every service needs to be set up for use with the YubiKey. Services have different ways how they work together with a YubiKey. In general the options are found on the service website under "Two-step verification", "Two-factor authentication" (2FA) or "Multi-factor authentication" (MFA).

• The preferred option: Security key
  • The term "Security key" here refers to the YubiKey.
  • This actually seems to be same as the "Passkey" option - at least I cannot see a conceptual difference.
• Option 2: Authentication app (aka "Time-based one-time password (TOTP) app")
  • When this is chosen, you need to install the "Yubico Authenticator" app on the device that will pair with the YubiKey.
  • For details see [4].
• Option 3: Passkey
  • The service will communicate with the browser and instruct it to create a passkey.
  • The browser will prompt you to create the passkey using a variety of methods => Choose the option "Security key".
  • As mentioned above, I don't see a conceptual difference to the "Security key" option.
  • For more general information about passkeys, see [9].

Example procedure for GitHub

Here is an example for the procedure I used when setting up my first passkey for GitHub on 21-Dec-2024. I did this on my MacBook.

• Log in to GitHub
• Open your account settings, select "Password an authentication" and in the "Passkeys" section select the button "Add a passkey".
• Select "Add passkey". A macOS dialog pops up that offers to use "Touch ID" to sign in and store the passkey in the iCloud Keychain.
• Select "Other options", then select the option "Security key".
• Next a prompt appears to "insert and activate your security key" => Plug the YubiKey in (if it's not yet plugged in).
• Touch the YubiKey's touch sensor.
• Next a prompt appears to enter the security key PIN => Enter the PIN to unlock the YubiKey.
• Another prompt appears telling you to "Insert and activate your security key again" => This is misleading - there is no need to unplug the YubiKey and plug it in again. Simply touch the YubiKey's touch sensor again.
• As a final step, GitHub prompts you to give the passkey an alias => This is useful because you can set up the account with multiple passkeys. I give it the name "YubiKey 5C NFC (main, 30077530)", in the expectancy that I may later set up another passkey with a backup YubiKey.
• The passkey has now been generated and can be seen both in the Yubico Authenticator app and on GitHub.

OTP / TOTP

TODO

When trying this out for the firs time, be aware of an issue on macOS with YubiKey Manager and missing "Input Monitoring" permission. See here: https://support.yubico.com/hc/en-us/articles/360016648939-Troubleshooting-Failed-connecting-to-the-YubiKey-Make-sure-the-application-has-the-required-permissions-in-YubiKey-Manager