Pilot service for Yubikey two-factor authentication

Here’s how to program slot 2 of the Yubikey, and then swap slots 1 and 2, using the ykpersonalize command:

We first need to choose a public id, in Modhex; as well as a private id, in hex. (One way to have suitable values these generated automatically is via the ‘Cross-platform Yubikey Personalization Tool’ – equally, randomly-chosen strings should be good.)

Notes:

1. As in the previous post Using the Cross-platform Yubikey Personalization Tool, we note that, for compatibility with the Yubico cloud authentication service, the public id we choose should start with the two characters Modhex vv.
2. The ‘private id’ (a.k.a. ‘uid’) is not significant, and – when using Yubikeys in standard Yubico OTP mode, as we are – plays no role in the authentication process. It might just as well be set to all zeroes.

Then, either specify an explicit AES key:

[host]user: ykpersonalize -2 -a12c676fa8f906cf9505122ac4d5ef058 -o fixed=vvbhchbhchcb -o uid=d17bb68be71e \
-o -static-ticket -o -strong-pw1 -o -strong-pw2 -o -man-update
Firmware version 2.4.3 Touch level 2307 Program sequence 9

Configuration data to be written to key configuration 2:

fixed: m:vvbhchbhchc
uid: d17bb68be71e
key: h:12c676fa8f906cf9505122ac4d5ef058
acc_code: h:000000000000
ticket_flags: APPEND_CR
config_flags: 
extended_flags: 

Commit? (y/n) [n]: y

or let the interface generate a random AES key:

[host]user: ykpersonalize -2 -o fixed=vvbhchbhchc -o uid=d17bb68be71e \
-o -static-ticket -o -strong-pw1 -o -strong-pw2 -o -man-update
Firmware version 2.4.3 Touch level 2307 Program sequence 9

Configuration data to be written to key configuration 2:

fixed: m:vvbhchbhchc
uid: d17bb68be71e
key: h:ac22d24832fd612a82b3ef4505a02838
acc_code: h:000000000000
ticket_flags: APPEND_CR
config_flags: 
extended_flags: 

Commit? (y/n) [n]: y

(Comment: the command line switches -o -static-ticket -o -strong-pw1 -o -strong-pw2 -o -man-update are ugly, but unfortunately very necessary here. It turns that ykpersonalize asserts those options by default for the programming of slot 2 (but not slot 1) – but we definitely don’t want them when programming slot 1 in Yubico OTP mode, so we need explicitly to deassert them with a ‘-‘ sign. If you’re now wondering why we didn’t swap the slots first, and then program slot 1: depending on firmware versions, you don’t necessarily seem to be able to swap slots 1 and 2, if slot 2 is currently unconfigured …)

To now swap the contents of slots 1 and 2:

[host]user: ykpersonalize -x
Firmware version 2.4.3 Touch level 2307 Program sequence 8

Configuration in slot 1 and 2 will be swapped

Commit? (y/n) [n]: y

Here’s how to program slot 2 of the Yubikey, and then swap slots 1 and 2, using the Cross-platform Yubikey Personalization Tool:

Start the tool: yubikey-personalization-gui&

Select Yubico OTP Mode, then Quick

We’ll just accept whatever randomized values are suggested here – though feel free to Regenerate.

(By the way: there is an advantage to using a public id which starts with Modhex vv (i.e. Hex FF) as this page produces, rather than a completely random public id (as is available via the Advanced configuration page): for user-generated keys, only those starting with Modhex vv can be uploaded to the Yubico cloud authentication service.)

Select Configuration Slot 2

Unhide values, and take a note of the Public Identity, the Private Identity, and the Secret Key.

(Comment: The ‘Private Identity’ is not significant, and – when using Yubikeys in standard Yubico OTP mode, as we are – plays no role in the authentication process. It might just as well be set to all zeroes.)

Select Write Configuration:

The configuration will be written to the key, and also to a log file which you will be asked to nominate.

To now swap the contents of Slots 1 and 2:

Select Settings

Select Update Settings...

Select Swap

Now, try using your Yubikey.

You should find that Slot 1 emits a OTP corresponding to the new public id just defined, and Slot 2 emits an OTP corresponding to the pre-existing factory-defined public id.

As mentioned in the earlier post What is a Yubikey, and how does it work? :

A Yubikey is a small device [which], when plugged into the USB port of any PC, presents itself as a standard USB HID keyboard and, when the capacitive ‘button’ on the Yubikey is pressed, emits a character string which implements a one-time password (OTP).

As delivered, the Yubikey emits its single factory-configured OTP when its button is pressed for about 0.5s or so. But in fact, the Yubikey has two configuration ‘slots’, each of which can be programmed to emit a one-time password. If the second slot is configured, the Yubikey acts as follows:

• Short press (0.3 – 1.5 seconds) and release: OTP from configuration slot 1 is emitted
• Short press (2.5 – 5 seconds) and release: OTP from configuration slot 2 is emitted

Each slot can be reprogrammed, and the contents of the two slots can be swapped. It’s very useful to keep the contents of the ‘as-delivered’ slot exactly as they are: the public id and AES key contained therein are already factory-registered on Yubico’s cloud authentication service, so the key as delivered is good for authentication against that service. However, for our testing we also want to set up our own authentication service. To do so, our plan is to reprogram the second slot with an appropriate internal public id and AES key, and then swap slots 1 and 2 so that our internal OTP is the default choice. This means we can revert to the as-delivered configuration of the Yubikey later on, should we choose to.

For Yubikey programming and reconfiguration, Yubico makes two programming utilities available:

• The Cross-platform Yubikey Personalization Tool
• The ykpersonalize command