Pilot service for Yubikey two-factor authentication

As mentioned in the earlier post What is a Yubikey, and how does it work? :

A Yubikey is a small device [which], when plugged into the USB port of any PC, presents itself as a standard USB HID keyboard and, when the capacitive ‘button’ on the Yubikey is pressed, emits a character string which implements a one-time password (OTP).

As delivered, the Yubikey emits its single factory-configured OTP when its button is pressed for about 0.5s or so. But in fact, the Yubikey has two configuration ‘slots’, each of which can be programmed to emit a one-time password. If the second slot is configured, the Yubikey acts as follows:

• Short press (0.3 – 1.5 seconds) and release: OTP from configuration slot 1 is emitted
• Short press (2.5 – 5 seconds) and release: OTP from configuration slot 2 is emitted

Each slot can be reprogrammed, and the contents of the two slots can be swapped. It’s very useful to keep the contents of the ‘as-delivered’ slot exactly as they are: the public id and AES key contained therein are already factory-registered on Yubico’s cloud authentication service, so the key as delivered is good for authentication against that service. However, for our testing we also want to set up our own authentication service. To do so, our plan is to reprogram the second slot with an appropriate internal public id and AES key, and then swap slots 1 and 2 so that our internal OTP is the default choice. This means we can revert to the as-delivered configuration of the Yubikey later on, should we choose to.

For Yubikey programming and reconfiguration, Yubico makes two programming utilities available:

• The Cross-platform Yubikey Personalization Tool
• The ykpersonalize command