21
votes
How do you use your YubiKeys?
I'm a little late on this, admittedly. $dayjob is requiring us all to set up a pair of YubiKeys, and I'm using them for the first time and my mind is a little blown.
I was seeing articles about "passkeys" all summer, not really grokking what they were talking about, clinging to my usernames and passwords and 2FA codes coming out of 1Password, etc.
I just set it up on a few accounts today, initially as an additional 2FA source, but when I set them on GitHub, I saw for the first time how exactly they are used instead of the username and password and 2FA combo to log in, and it seems incredible to me!
For long-time YubiKey users: what are some cool things in the ecosystem that you would recommend looking at?
We've been using them for years. Our company's SSO uses them as a second factor instead of a replacement for username/password. I think that's being slowly changed as we enable device verification as a way to skip username/passwords.
Yubikeys can also be used as smartcards. Some of our internal infra uses smartcard authentication for elevated access, and this fits that role nicely.
We also use them to enable MFA on Linux command line sudo usage.
An opinionated Yubikey setup guide gives a great run-down of what can be done with them.
the main parts that I use are FIDO authentication (to Fastmail, Bitwarden, Github, etc), FIDO-based SSH keys for all my servers, as well as GPG keys that integrate with
gopassand give me an local-storage-only password manager I can use in addition to Bitwarden.I use it to ssh on my servers. Onlykey is also great (and open source) if you want to try something else.
I use a yubikey to enter my 1password master password and for 2FA on a handful of sites. So I’ve essentially taken 1password and turned it into 0password.
As for 2FA, I think it’s important to never have a yubikey as your only 2FA device. TOTP can be backed up but a physical key is specifically designed to not be copied. If you ever lose it or it breaks you’re SOL.
Can you change the code on the yubikey? Im still learning how to use it but it just seems insecure since it just acts as a keyboard and I have entered it in the wrong spot a few times.
The firmware is not upgradable by design. But you can change the behavior that you're talking about using the Personalization Tool. In the settings tab of that tool, there is a section called "output format". By default, it will output a return/enter after the key. You can disable that if you prefer to manually enter. You can also look at this if you want to increase the amount of time you have to contact the yubikey before it will output a code.
What code are you referring to?
Depending on your organisation, you may want to disable the OTP functionality. Some companies don't use it and it can be annoying when you touch your Yubikey and send a string of random characters to someone.
Alternatively you can leave it on and play Yubikey roulette by pressing modifier keys (ctrl, alt, shift and the like) then touching your Yubikey. Save your work before trying this!