Pilot service for Yubikey two-factor authentication

February 19, 2016

Using the ‘Cross-platform Yubikey Personalization Tool’ to reconfigure the Yubikey

Here’s how to program slot 2 of the Yubikey, and then swap slots 1 and 2, using the Cross-platform Yubikey Personalization Tool:

Danger, Will Robinson!

As delivered, the configuration in slot 1 of the Yubikey allows the Yubikey to authenticate against the Yubico cloud authentication service. Once deleted from the Yubikey, it cannot be recreated as was. Specifically, one cannot recreate a public id (and corresponding AES key) beginning with Modhex cc, and upload that pair to the Yubico cloud.

Our aim – for now, anyway – is to completely preserve the as-delivered configuration of slot 1 – not to delete it! – and to save it in slot 2.

Please proceed with the appropriate amount of caution!

Start the tool: yubikey-personalization-gui&


Select Yubico OTP Mode, then Quick

yubikey-personalization-gui - OTP Quick configuration

We’ll just accept whatever randomized values are suggested here – though feel free to Regenerate.

(By the way: there is an advantage to using a public id which starts with Modhex vv (i.e. Hex FF) as this page produces, rather than a completely random public id (as is available via the Advanced configuration page): for user-generated keys, only those starting with Modhex vv can be uploaded to the Yubico cloud authentication service.)

Select Configuration Slot 2

Unhide values, and take a note of the Public Identity, the Private Identity, and the Secret Key.

(Comment: The ‘Private Identity’ is not significant, and – when using Yubikeys in standard Yubico OTP mode, as we are – plays no role in the authentication process. It might just as well be set to all zeroes.)

Select Write Configuration:

The configuration will be written to the key, and also to a log file which you will be asked to nominate.

To now swap the contents of Slots 1 and 2:

Select Settings

yubikey-personalization-gui - Settings

Select Update Settings...

yubikey-personalization-gui - Settings

Select Swap

Now, try using your Yubikey.

You should find that Slot 1 emits a OTP corresponding to the new public id just defined, and Slot 2 emits an OTP corresponding to the pre-existing factory-defined public id.

Theme: Rubric.