Notes on installing and setting up your YubiKey 4 for various platforms and applications.
The YubiKey is a hardware device manufactured by Yubico that provides a hardware "second factor" enabling true two-factor authentication: something you know (your password) and something you have (your YubiKey). It enables you to easily and securely log in to accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device.
- Simply plug it into an unused USB port.
- During certain types of authentication you will be prompted on screen to press the inset copper button marked with and (often lit) "Y".
- If you trust your environment (like at home) you can keep the YubiKey near or even plugged into your computer.
- In low trust environments (coffee shops, hotel rooms, etc.) keep your YubiKey with you at all times (in a pocket or purse). If your computer is compromised, it won't be accessible without the YubiKey that you have on you.
- Do not use SMS text messages for two-factor authentication.
Before your YubiKey can act as a second (hardware) authentication token for applications, you need to install and configure some software that "personalizes" your YubiKey. Also included are some more advanced instructions that enable locking your screen with your YubiKey.
This requires a Yubikey token (cover the button for approximately one second) on laptop/desktop to unlock LastPass.
- My Vault -> Account Settings -> Multifactor Options
- Set up one free option (e.g., Google Authenticator) - this is a useful backup
- YubiKey (an easier option) is available when using LastPass Premium ($12/year)
- Select the YubiKey option.
- Insert the YubiKey device into a USB port on your computer.
- Focus your cursor on the "YubiKey #1" field.
- Press the button on the YubiKey device.
- A long string of dots should appear in the YubiKey #1 field.
- Change the "YubiKey Authentication" status to "Enabled"
- Set "Enabled" ==> "Yes"
- Set "Permit Offline Access" ==> "Disallow"
- Press the Update button
- Enter your LastPass master password and press Confirm.
- YubiKey is now enabled for your LastPass account.
- If you have a YubiKey Neo (CivicActions uses the YubiKey 4 model) and your phone supports NFC, you can touch the Neo against your phone to unlock on mobile.
For each Google account you have:
- Visit https://accounts.google.com/b/0/SmsAuthSettings#devices
- Enable TFA, and complete the phone verification process (phone will act as backup TFA).
- Click on "Security Keys" and follow instructions to add Yubikey.
- Return to the main page and add a second phone and/or print backup codes.
- As long as you have a backup, you can also install the Yubikey Authenticator app, and configure your account to use that for the backup TFA instead of SMS/phone - this is the same as the Google Authenticator app, except that it stores the credentials on your Yubikey instead of the phone.
- If you have funky devices/apps that don't support TFA, you can set an application specific password using that tab. This includes sending E-mail from your personal Gmail account using your civicactions.com IMAP, for instance.
For each AWS account you have:
- Visit https://console.aws.amazon.com/iam/home?region=us-east-1#security_credential
- Under MFA, add a Virtual MFA device.
- Use Yubikey Authenticator app to scan the QR code, and enter the reponse code, then close and reopen the app and enter the second response code.
- Visit https://console.aws.amazon.com/iam/home?region=us-east-1#users
- Choose your user name
- Click on Manage your MFA device
- Use Google Authenticator app to scan the QR code, and enter the reponse code
- then close and reopen the app and enter the second response code.
- using YubiKey untested - don't have Yubikey Authenticator set up