Securing your access to resources should be top of mind. It’s relatively easy for folks to get your passwords these days – especially with the frequent vendor breaches – making something like two-factor authentication (2FA) or multi-factor authentication (MFA) a necessity. I personally use a combination of an encrypted password vault to store secrets and Yubico’s YubiKey to act as my security key and Google Authenticator as my one time password (OTP) generator.
The multiple factors of authentication consist of three types: what you know (passwords, codes), who you are (biometics), and what you have (tokens, badge, ID). I’ve been using a YubiKey 4 USB-A edition security key for almost 2 years to provide a “what you have” factor to the security equation. It has worked without any issues across GitHub, AWS, Azure, Google, Windows Hello, and many others.
However, I wanted to revisit my process after buying a new Google Pixel 4 XL to replace my Google Pixel 2 XL (I use Google Fi). I was juggling Google Authenticator as my default OTP generator and using the YubiKey only in my laptop as a security key. This felt inefficient. Looking around revealed a whole new generation of YubiKeys with different feature sets.
I’ve recently purchased a new YubiKey 5 NFC (near field communication) for $45 on Amazon. My main goals are:
- Having a primary and backup YubiKey prevents me from locking myself out of specific accounts should I lose the primary and follows Yubico’s recovery plan recommendation. (See this support article, too)
- The NFC feature lets me use the YubiKey as a security key on mobile! It will also reduce the friction when generating OTPs on my Android phone with the Yubico Authenticator, eliminating my need to use Google Authenticator (which is bound to a single phone and a pain to migrate to new phones).
In this post, I’ll go through the various setup and configuration details to get the YubiKey solution up and running. This will focus on my specific set of devices across the Windows and Android ecosystem.
The Yubico Authenticator app allows you to store your credentials on a YubiKey and not on your mobile phone. It’s the first thing I tend to install on my Windows or Android device. This is the application that will let you work with stored accounts that you have configured for 2FA/MFA, such as GitHub or AWS, on your YubiKeys. You can find all Yubico downloads here.
Note: At the time of this post, the latest and greatest Windows version is 5.0.1 and Android version is 2.2.0.
The Yubico Authenticator application reveals the accounts that have been stored on the YubiKey and allows accounts to be added, removed, or set as a favorite. It’s similar to the Google Authenticator, except that it is bound to your YubiKey instead of your Android phone.
Let’s start by setting up the YubiKey for OTP with GitHub, including NFC integration, so that there’s a concrete example to follow. Other accounts will be setup in a similar manner, but make sure to first read their documentation.
YubiKey OTP Configuration
The first way that we’ll integrate with GitHub is through OTP generation. This will provide a six digit 2FA code when logging into GitHub.
- Insert your YubiKey and fire up the Yubico Authenticator.
- Follow the Configuring two-factor authentication using a TOTP mobile app instructions on the GitHub site. This boils down to scanning a QR code to setup your account.
- Save the Recovery Codes someplace safe, such as an encrypted secrets vault or a piece of paper in a fireproof safe!
You now have a GitHub OTP generator prepared for authentication.
Validate that using the 6 digit code generated by the Yubico Authenticator is accepted by clicking on the GitHub account in the application and then pressing the gold ‘Y’ button on the YubiKey when prompted. The button will also slowly flash green in a “please press me” mode. Enter the code into GitHub’s 2FA request.
Note: There is a small circle that appears to the bottom right of the account that marks how much time remaining until the code is invalidated.
The account is now configured on your YubiKey. If you need an OTP, insert the YubiKey into your laptop and repeat the above steps. The YubiKey will work in any device you wish and can itself be password protected, if desired.
You also have the ability to switch security keys or plug multiple security keys into the laptop. This makes adding two YubiKeys to a service (one as primary, the other as a backup) fairly simple.
If a service doesn’t allow for multiple security keys to be added, you can store the secret value or QR code somewhere safe and use it on your backup device in case of losing the primary. For more on creating a backup YubiKey, this getting started page is handy.
If you don’t have the funds to splurge for a second YubiKey, you can use an alternative method (such as Google Authenticator) as your backup plan.
YubiKey OTP Configuration for Android NFC
The next step is to install the Yubico Authenticator on Android using the Google Play store. I immediately change the app’s color theme to Dark or AMOLED by navigating to Settings > Theme. In Android, make sure you have NFC enabled by visiting Settings > Connected Devices > Connection Preferences > NFC.
Once done, tap the YubiKey 5 NFC onto the back of the phone to display a list of the known accounts. Each account will show
Press button for code... where the code would be, as shown in the image below.
When you press your finger on the account’s name on your phone, a notification will appear asking you to once again tap the YubiKey 5 NFC against the back of the phone to reveal the OTP for a short while before it is invalidated. You won’t need the gold ‘Y’ button at all for NFC.
Note: The NFC “hot spot” for Google Pixel models is on the back of the phone towards the top (near the camera).
This is extremely handy for accessing accounts that need to be viewed over mobile. For me, that’s mostly GitHub, Twitter, Reddit, and CloudFlare. It’s also nice for generating OTPs and using them on my laptop without having to insert the YubiKey into the laptop.
Next, let’s cover how to setup the YubiKey as a security key for GitHub. This eliminates the need for OTP generation and greatly streamlines the entire process.
YubiKey Security Key Configuration
Because GitHub supports WebAuthn (see this post), we can use a YubiKey as a security key. This works for Windows via Windows Security and Android. This will require first configuring Windows Security to know about the security key.
Windows Security Key Setup
To set up a security key, go to Start > Settings > Accounts > Sign-in options, and select Security Key. Select Manage and follow the instructions to setup a new PIN. This will be used when setting up a new account to validate the request.
Whenever you want to use your security key to integrate with a new account, a Windows Security prompt will first ask you to input your PIN. After that, the PIN will not be required for the account you’ve configured. It will be required for any new accounts you wish to setup.
GitHub Security Key Setup
Now that Windows has the YubiKey configured, it’s time to add a new security key to GitHub. The Configuring two-factor authentication using a security key post describes this process in great detail.
When you reach the “Activate your security key, following your security key’s documentation” step, the Windows Security prompt will appear and ask for you to enter the security key PIN value.
After this, you can log back into GitHub and select the
Use security key option. This will require touching the YubiKey’s gold ‘Y’ button to approve the request as shown below.
YubiKey Security Key Configuration for Android NFC
In order to use the YubiKey as a security key over NFC, open up Chrome on Android and navigate to GitHub. When logging in, make sure to select the security key option. When you click on the
Use security key button, a series of configuration prompts will appear.
The first prompt is a Get Started wizard.
Next, select how you wish to use the security key by choosing
Use security key with NFC to continue.
The final step is to authorize the request. Tap the YubiKey NFC against the phone once more.
That’s all there is to using the security key option. Easy!
Who Else Supports 2FA or MFA?
Support for 2FA is somewhat spotty and random, with some organizations limited to using a OTP via SMS. That’s better than nothing, but not the end goal. The folks at Two Factor Auth List have put together an easy to use open source repository and website that you can leverage.
I will say that both GitHub and Microsoft are great about 2FA. They both support multiple security keys, which is great for the primary / backup security key model, and allow me to choose between OTP and security key authentication. See this post if you’re interested in setting up a password-less Microsoft Azure AD integration.
I’ve also disabled the old SMS (text message) approval workflow for both accounts in favor of having hard copy recovery keys stored in a lock box should I completely lose all of my YubiKeys.
If you want to adventure further with your YubiKey, snag the YubiKey Manager. It provides the ability to really customize the configuration of the YubiKey, determine which features are available for the two interfaces (USB and NFC), and options for setting up a Personal Identity Verification (PIV).
The only thing I’ve done in here was changed the default values for the PIV’s PIN and PUK configuration.
I feel like I’m barely scratching the surface of what I can do to help secure my world with YubiKey. In the future, I’d like to set up some of the things that Macro Pivetta outlines in his great post entitled “YubiKey for SSH, Login, 2FA, GPG and Git Signing” – especially the git signing!