loading...
Cover image for Use your Yubikey to its Fullest

Use your Yubikey to its Fullest

shostarsson profile image Rémi Lavedrine ・8 min read

Photo by Yogi Purnama on Unsplash


On our way to make our accounts as secure as we possibly can, I will explain all the possibilities a Hardware token (Yubikey) can offer.
It can go from encrypting your e-mails to encrypting a USB Key content or unlocking your computer.

I know it is a long post, but I tried to make it as enjoyable and understandable to read as I can. So you can use that new device you just bought to its fullest.
If you read my last post about MFA and you made this leap of buying a hardware token, Yubico embedded a lot of features into their devices so why not try to use all of them?


I am streaming every Thursday at 9:00pm (UTC+2) on my Twitch channel about Security topics. 🖥️

Feel free to come and say hello 🙋🏼‍♂️, if Multi-factor Authenticator is of any interest to you or if reading that article brought some questions and you desperately need answers. 🤔
I'll be more than happy to answer.


Introduction

After a massive password breach on Yahoo!, I decided to reconsider my security on the Internet. Starting with my passwords.
I made some research, considered using a Password Manager and moved to KeepassXC.
After some research, I get to the point that a password, even a long enough chaotic password handled by a password manager, is not enough to really guarantee the security of my accounts.
That's why I decided to use MFA and bought a Yubikey.

At the beginning, I used the very basics capabilities of the Yubikey which is just a simple U2F token.
It is just the key to unlock the access to my account along with the password. Just a padlock that requires a pin code ("something you know") and a key ("something you own") to get unlocked.

But a Yubikey can offer a lot more that that.
Yubikey

In this article, I'll try to present all the possibilities that a Yubikey can offer to better secure a lot of your assets, to use your brand new Yubikey to its fullest.


The Yubikey as a U2F token

It is the most basic use and the most simple one to use.
You are using the basic capabilities of your Yubikey to connect to websites.
This website presents an exhaustive list of services that supports Multi-factor Authentication and the method supported, either hardware or software only or both and their limitations.

Two Factors Auth Website
Two Factors Auth Website

I used it a lot at the beginning to check if the websites I was using supports MFA. You can even ask them to support MFA through a tweet or a Facebook message with a click of a button.
Have a look at this website and check if the websites you are using allows Multi-factor Authentication.


The Yubikey to unlock your Windows Machine

Starting with Windows 10, Microsoft offers the possibility to unlock your computer with a lot a different methods, from a simple Pin code to your face and offers an API for third party to implement an unlock your machine mecanism.
Yubico took advantage of it and published an application to unlock your Windows 10 computer using a pre-register Yubikey.

You can download the application here from the Windows Store.

Yubikey for Windows Hello - 1
1. Register a Yubikey
Yubikey for Windows Hello - 2
2. Name your Yubikey
Yubikey for Windows Hello - 3
3. Validate the Yubikey
Yubikey for Windows Hello - 4
4. Registered Yubikeys

As you can see, you can register more than one Yubikey to unlock your computer. Which is a very good practice as I described in my generic article about Multi-factor Authentication.

There is also a page on the Yubico website that regroups all the tools you can use to register to basically any Windows accounts wether it is Local accounts, Azure AD accounts, Classic AD accounts. And even on Mac machines.

If you want to add a new possibility to unlock your Windows Machine, you can use your Yubikey. You just have to download the Windows Hello Yubikey application on the Microsoft Store and then set up your Yubikey as a Windows Hello method.


The Yubikey to Unlock your Mac Machine

Mac OS Sierra allows the use of smartcards to connect to your machine.
To use this feature, your Yubikey must have a certificate in it so that it can work as a smartcard. The Yubico PIV Manager will help you set up a Certificate in your Yubikey in a few steps.

Yubikey for Mac Unlock - 1
1. Yubico PIV Manager w/ Yubikey
Yubikey for Mac Unlock - 2
2. Yubico PIV Manager w Yubikey

You just install the application and then plug your Yubikey in and it will set it up.

You have to set up a Pin code from 6 to 8 characters. So you can replace a very complicated password (your Mac's session password) to a much more simple code but you will need something with you.

Yubikey for Mac Unlock - 3
3. Add a Pin Code
Yubikey for Mac Unlock - 4
4. Pin Code Added

As soon as the Yubikey is set up, your Mac will ask you if you want to associate this Yubikey with your account.

Yubikey for Mac Unlock - 5
5. Pair the Yubikey with the Account
Yubikey for Mac Unlock - 6
6. Unlock Pairing Yubikey

Now, you can login to your Mac using your Yubikey. It is pretty straightforward.
On the new MacBook Pro, I think that TouchId is bettter than that but on all the "older" Mac, it is a really powerful method.


Use your Yubikey to Enforce your Password Manager Software

Dashlane or LastPass allows the use of a Security Key.

Yubikeys are perfectly integrated with Lastpass.
Here is a video that describes it :

Similarly, Dashlane supports Yubikeys.
Here is a video that describes it :

And Dashlane explains it on its website.


Store a PGP Key and Use It

A Yubikey can store a private key, so you can use this key within your Yubikey to encrypt your e-mails or do anything that you can do with a PGP Key. And there are a lot of possibilities.

What is PGP ?

PGP stands for "Pretty Good Privacy" and according to Wikipedia :

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication.
PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.

Sign your Git Commits

As PGP supports message authentication and integrity checking, you can use it to sign your Git commits.

To do that, you just have to create you Private/Public key pair, store the private key in the PGP Signature slot of the YubiKey.

gpg --edit-key 13AFCE85

gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/13AFCE85  created: 2014-03-07  expires: 2014-06-15  usage: SC
                     trust: ultimate      validity: ultimate
sub  2048R/D7421CDF  created: 2014-03-07  expires: 2014-06-15  usage: E
sub  2048R/B4000C55  created: 2014-03-07  expires: 2014-06-15  usage: A
[ultimate] (1). Foo Bar <foo@example.com>

gpg> toggle

sec  2048R/13AFCE85  created: 2014-03-07  expires: 2014-06-15
ssb  2048R/D7421CDF  created: 2014-03-07  expires: never
ssb  2048R/B4000C55  created: 2014-03-07  expires: never
(1)  Foo Bar <foo@example.com>

gpg> keytocard
Really move the primary key? (y/N) y
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

and then

gpg> key 1

sec  2048R/13AFCE85  created: 2014-03-07  expires: 2014-06-15
                     card-no: 0000 00000001
ssb* 2048R/D7421CDF  created: 2014-03-07  expires: never
ssb  2048R/B4000C55  created: 2014-03-07  expires: never
(1)  Foo Bar <foo@example.com>

gpg> keytocard
Signature key ....: 743A 2D58 688A 9E9E B4FC  493F 70D1 D7A8 13AF CE85
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
   (2) Encryption key
Your selection? 2

And you have your signature key in the Signature slot of your Yubikey. You're good to go.

To sign your commit, you can just have a look at that (great 😉) article about it on DEV.

Encrypt your E-mails

As PGP supports encryption, you can use it to encrypt strings. And what is better than an e-mail as a perfect target for encryption.

We just added a key to the Yubikey's Authentication slot to sign the Git commit.
To encrypt messages, we have to add a key to Yubikey's Encryption slot.

Let's do this following what we did above :

gpg> key 2
 sec  2048R/17DB29BE  created: 2014-11-16  expires: 2018-11-16
 ssb  2048R/FAFFECA6  created: 2014-11-16  expires: never     
                      card-no: 0006 03036660
 ssb* 2048R/A9057450  created: 2014-11-16  expires: never     
 (1)  Trammell Hudson <hudson@trmm.net>
 gpg> keytocard
 Signature key ....: none
 Encryption key....: D04F 94C6 EF86 C150 9486  3F5C 2695 8563 FAFF ECA6
 Authentication key: none
 Please select where to store the key:
    (1) Signature key
    (3) Authentication key
 Your selection? 1

Now, you can use your favorite e-mail client that supports GPG to encrypt and/or sign your e-mails.
I am personnaly using Thunderbird with Enigma. But you can use Apple Mail with the GPGMail plugin.


Conclusion

For all these methods, it is important that you always have a spare method to connect to your account if you are losing your Yubikey.
You can use a spare Yubikey. That means that every time you set up a Yubikey on a service, you have to set up another one (the spare Yubikey) that you are going to save somewhere safe.

And if an attacker has access to the Yubikey (steals it), it can't extract any information from it. So the information saved on it are safe. It is a write only mechanism.

And if you forgot your Yubikey, you can always use another method to connect as on any service I am usnig, there is always another method to connect to the service. So you can use this other method if you set it up.
It is always a matter of compromise between easiness and security.


Thank you so much for reading it to this point. I hope you enjoyed reading it and learn something.

Leave me a message if you set up Multi-factor Authentication on one of your account. An then tried to use your Yubikey to something different than just 2nd-factor authentication.

That would mean a lot to me.

Posted on by:

shostarsson profile

Rémi Lavedrine

@shostarsson

Software Dev turned Security Dev. Follow me on dev.to, twitch.tv/shostarsson or youtube.com/shostarsson

Discussion

pic
Editor guide
 

Well Password is not enough. I hope banks would adopt changing their MFA's from just SMS/Email to verified physical security keys

 

That would be great indeed.
But I think that one the most important thing to secure is you're e-mail account as any other service you are registering to is related to that and can be reset through it.