Configuring Your YUBIKEY for Authentication

[Xilobyte]

In my tutorial Creating a Cold Wallet Computer I explain that good security is in the use of many devices to conduct a log in. 2FA or 2 factor security is when you have a Username, a Password, and require the use of a device to generate or provide a PINCODE for log in. So now a thief would require all three to compromise your account. Some exchanges, wallets or other utilities do not offer 2FA as a security measure but you can create your own. I use a YUBIKEY from Yubico to do this.

Most 98% of you use the same username and password credentials across many domains because of convenience and laziness. This means that if you are using an exchange which is pretty secure (hopefully) that I do not have to hack the exchange to get to your account. I can hack . some other clown like LinkedIn or even Visa and Mastercard and get a nice long list of usernames and passwords from them, and then randomly try each log in on any network I want until I score. You always score because people are inherently lazy with their personal security. So a great password has good length 12+ random characters including case, numbers, letters and punctuation. It has no consecutive characters, it does not reuse and characters and if you really want to make it a crappy thing to enter, use as much ambiguity as possible. That is letters and numbers like 0O Il oh and whatever else there is. Now if your password is visually exposed, you get a second chance. A password should not be memorable. If  you can remember it, a computer can guess it.

So with that, I divide my password in two. One part Suffix and one part Prefix. Half of my password is either another password which IS memorable and the other half is that randomly generated password that is not. So something like this:  PaSsw0rdKjHLv[K7GCjlhfzt869zljkh.*9nWrx .    That would really suck to use to login every time but it is secure. The first half I have in my head. The second half I do not care about, will never remember it and do not care to remember it. It is stored on my USB token or Yubikey.

The Yubikey can be used to generate Time based tokens, cryptographic tokens and even static passwords. I am not going to go through all of the uses of the Yubikey as that has already been covered by Yubico, but I will explain how to set up your static password on your key. 

 

   

This is a YubiKey 4. It is capable of many function to include our static password. It is used by inserting it into a computer USB where it registers as a keyboard. Then once the gold disc lights ups, you touch it to have it self enter the password for you. Setting up that static password is no fun and for me excessively complicated. I do not like the Yubico software as it is not user friendly. But here we go.

Once you have your Yubikey 4 you will need to download the Personalization tool to configure it.

 

Plug in your Yubikey and then observe the right column under the Serial Number "well" or "block. Record the Serial Number, the Dec and the Hex for later. the select "Static Password Mode" in the menu.

 

 

You will see  at the top that there is "Slot 1" and "Slot 2."  The Yubikey can be programmed with two different static passwords if you like. The Yubikey has two memory slots, each one is access but a different touch on the Gold Disc. The password which you store in Slot 1 is access by short touching for <1sec the Yubikey. When you quickly touch the disc, the key will type out that password. To get the Yubikey to type out the Second Password, you will touch and hold that gold disc for >3seconds and the Yubikey will type out the password in Slot 2.  Pretty Coooool.  

WARNING:  DO NOT store the Suffix AND the Prefix on the key. If a thief only has to steal your Yubikey to log into your account, that is pretty useless. Keep one half to yourself and the second half on the key. So lets program Slot 1 (short tap) with the password that we will use as the second half of our login. Go ahead and select "Configuration Slot 1." 

If you have your second backup key, then now is a great time to create that one as you can write to both, now. If so then select the checkbox at "Program Multiple Keys", if not then no worries you can do the exact same procedure later. Now, to the right of that, you see "Configuration Protection." A new Yubikey is unprotected. Lets select "Yubikey unprotected - Enable Protection" Here you can add a pincode of your own or use the serial number as the pincode. This prevents the key from being reprogrammed by other software without this PIN.

Now in the Password block this is where we will create our password to be added to the key. Your Yubikey 4 can store a maximum of 38 characters in this memory slot. I would like you to have one at least 18 characters long. This will leave room for the other half of your password from your head   You can use an online password generator to create a strong random password if you like. Once you have the long unremarkable password, copy and paste it into the password field. If the field is locked for you, then be sure to select your "Keyboard Layout" located to the right under "Scan Codes." That will unlock the field. Ignore the scan codes field for now.

 

Now once your screen looks like mine  you can click the "Write Configuration" button. This will save the config to the Yubikey. If you have another key then insert it now to be programmed. You can do the exact same thing for Slot 2 and another password simply by selecting Slot 2 at the top and then write the configuration again.

There is one more thing that is important with this key that we must configure. At times when I use it, I realize that the rate at which it enters the password it too fast for some websites and or software, so we need to slow it down a bit.

At the top menu, select "Settings." The imporatnt part is the "Output Speed Throttling" section. Here is where we can slow this key down a bit. In the dropdown, "Output Character Rate" select "Slow down by 60 ms." That is technically enough, but if your screen looks like mine too, it will be fine. Then all that is left is to click the "Update Settings" button on the lower right.

 

Now you need to test the key. Open a text editor program, preferably Notepad or even a Terminal only to test the output of your key. I choose my Command Prompt for Windows or Terminal for Mac/Linux because there is no link to the internet nor is there any cache or memory that will store my key password. Insert your Yubikey and wait for the disc to light up. Then tap your gold disc quickly. It will type out your password saved in slot one. go ahead and press and hold your gold disc to see the password from slot two if you configured it.

Important to note is that the key has an automatic "return" or "enter" at the end of the password. It is useful at times and then not at others. This means that the Yubikey will need to be the 2nd half of any password as it will activate the "Submit" button on any form where you use it. No big deal.

So now when using your key to secure your wallets, you first enter the PIN or Pass that you remember and then insert your Yubikey and press the disc to complete the rest of the password that you do not remember.

One last step to keep in mind. In my post About Securing your Secret Key I explain that you need to print out your Secret Key and store that paper somewhere. On that paper is a great location to copy and paste the password from this Yubikey. Write them both down to be sure. That way, if you loose both keys, then you have a paper backup and can still get into your wallet. You should NEVER write down your PIN CODE or the other half of the password. That is your final layer of security.

You need to understand the difference between a Secret Key and a Wallet Password. Check out my post on these to get clear on the two.

 

Edited July 13, 2017 by Xilobyte

[joy]

This is very helpfully 

Thanks.