Well, I’ve had an old Yubikey 4C around for ages and tried to get it to work a few years ago. But with all the concerns about security, I’ve always wanted to understand this. Plus, Apple is trying to get everyone to be passwordless and that is a good thing. Using 1Password is great, but for certain things, it is necessary to have a physical key, so here is what I learned:
- How many keys to get? The right keys are hard to get, but you want at least two keys (so I want four of them), so if you lose the one on your keychain, you are not toast. For someone like me, I need more than eight of them and would need to put them on every physical keychain I have.
- The Yubikey 4C uses a PIN code as the additional factor, but there are others that have a fingerprint reader and connect via USB C so is mainly useful on desktops and iPads but not mobile, but I did get it to work.
- What keys to buying now? With the Apple move to USB C for everything not yet happening, the ideal key is one that has USB C, Lightening, and NFC for devices that support it. The Yubikey site is beyond complicated and the chooser makes it really unclear what the right device is well unobtainium. You can get the Yubikey 5C NFC which is USB C and NFC or the Yubikey 5Ci which is USB and Lightening for $55 and $75 respectively. The best device is probably the 5C NFC because late-model iOS devices all have NFC support that is iPhone 7 and higher. But this does require a PIN. The biometric one is called the Yubikey C Bio-Fido Edition and has a USB C port but no NFC in it. So there is no free lunch in this and the Bio edition is $90 and out of stock so there.
So the net is that there is not the perfect device out there with NFC, USB C, and Fingerprint on it, so you get to decide what you want to secure more. For me, the biometrics in the Apple (and Android) devices are pretty strong now so I’m not sure how much they are needed if you stay in Apple land, but if you have Linux and Windows this can make sense for logins and website authentication.
Personally, I’ll probably wait to get the Yubikey C Bio edition as PINs are a pain and the fingerprint is yet another more secure factor.
How do I use it? Logins and Website
There are two main uses for these keys. The first is to allow logins to your machine without a password. This is safer because you need the key and your pin to get into your machine. Now with Macs, you have the biometrics there as well so that is safer for sure and most Windows machines have a fingerprint reader, but the Linux machines we use don’t. So then you need a few things.
First, you need to load the Yubikey Manager. The keys have default PINs and PUKs and Management keys (eg encryption keys), so you need to download the Manager to set them (and you should have something like 1Password to save them all twice for sure). You have to configure all of these across all your devices. Now that is a lot of PINs to remember so you might want to label each device instead (or have some random set of digits and then a scheme for each one so the PINs are memorable but a little different).
Then each operating system has its own method for adding the key to the login. With the Mac, there is a utility called sc_auth which deals with this and sets the public key (the main function of the YubiKey is to hold the private key). Linux has a pam module that is also complicated and a little scary.
Still using the instructions and in particular sc_auth
to force it I got it to work so now I can access my Mac with the security key and a pin.
Making it work with services like iCloud is a little more tricky, you have to basically follow each set of instructions, but the main thing is to load the Yubikey authenticator application and then you get the traditional OTOP key but note there is room for only 32 such groups in a key. I probably have over 100 right now, so use this only for the ones that are most important.