The story
Thanks to the signing party and Harry Chen being so generous that he gave out one of his spare YubiKey 4's to me, I've got to get my hands on this tiny new device, which really changes the game of secure authentication and encryption. This article mainly serves as a concise introduction to the YubiKey, as well as serving as a memo in case I mess things up (such as losing the YubiKey, breaking it or screwing up the things stored inside) and want to start all over again.
What's a YubiKey?
So, basically what's a YubiKey? According to Wikipedia,
The YubiKey is a hardware authentication device manufactured by Yubico that supports one-time passwords, public key encryption and authentication, and the Universal 2nd Factor (U2F) protocol developed by the FIDO Alliance (FIDO U2F). It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows for storing static passwords for use at sites that do not support one-time passwords.
And I'm currently utilizing the following capabilities of a YubiKey to do things like these:
- PIV capability for OS logon and authentication
- on macOS this works for both system logon / screensaver deactivation as well as sudo authentication...
- what's more, you can ask macOS to activate the screensaver automatically when the login token is removed
- U2F capability for 2FA at various websites that supports hardware U2F tokens, such as Google and GitHub
- OTP capability (Yubico OTP, to be more specific), to authenticate myself in PAM applications (e.g. sudo) on remote machines
- PGP capability for storing my OpenPGP secret keys for signing, authentication and (en|de)cryption
- leverage PGP in emails and live chats to
circumvent censorshipretain privacy better - with the help of a properly configured GPG agent to replace SSH agent, authenticate with remote machines with GPG's ssh emulation mode
- leverage PGP in emails and live chats to
Details
Documents for how to configure each subsystem of the YubiKey are listed for reference, and I will not duplicate them here.
- PIV: https://www.yubico.com/support/knowledge-base/categories/articles/how-to-use-your-yubikey-with-macos-sierra/
to enable "login token removal = screensaver activation":
- go to
System Preferences > Security & Privacy > General > Advanced...
(you may need to unlock the panel by clicking on the lock icon and authenticating) - check
Turn on screen saver when login token is removed
- go to
- U2F: the simplest; follow the setup instructions from major websites that support U2F as 2FA
- you may need to unblock the U2F capability if you happen to turn it off (or you notice that it had stopped working): https://wiki.archlinux.org/index.php/yubikey#Set_the_enabled_modes
- OTP: https://mig5.net/content/adding-yubikey-2-factor-authentication-ssh-and-sudo-debian
- PGP: https://github.com/drduh/YubiKey-Guide
Credit
Credit goes to Harry Chen for offering me with a free YubiKey 4, and Tsinghua TUNA Association for their wonderful PGP Introduction talk, as well as the PGP Signing Party they threw, where I get my first PGP key signs.
Comment