Here’s a quick ‘how-to’ use a Yubikey or rather two or more Yubikeys
Recently I started using a small wafer-thin USB key that gives me a secure U2F connection to several programs or web sites, like Google Gmail, Facebook, Dropbox etc with 2AF security, these days a must.
Setting one up isn’t that hard, basically, you choose the two-factor authentication (2FA) option on the site or the application that you want to use it with, follow the blah blah until you get to scan a QR code that you zap with your YubiKey authenticator app on your phone.
(you can also use another authenticator app, such as Authy) but …….
….but while you’re securing a web site or a program/application, secure the app on your phone as well. Authy or/and most apps will show you or anyone the 6 codes generated on the app just by opening it, so could be potentially dangerous.
Yubi’s authenticator app will only show the codes if you have a Yubi key next to the phone by NFC contact or plugging it into the phone.
The app like all authenticator apps will show a 6 digit code for 30 seconds, after 30 seconds this code changes.
On the website, after scanning the QR code it will be expecting you to insert the 6 figure code and hit enter, and voilà this will then ‘tie’ the app, or web site to your key and the authenticator app.
Again, so that the authenticator app shows the codes, it needs to be next to the key if NFC, or the key plugged in depending on the model you have bought, in my case the 5 NFC
Now where it becomes a little complicated is if you want to have two keys or more (like me)
I bought a second key couple of weeks later, wanting one on my key-ring with my keys and another next to my computer at home.
So I ordered the same one, YubiKey 5 NFC, being naive, I thought it would just work, touch the authenticator app with the second key and it would work, being the same as the other one, doh stupido… of course it didn’t
Reading up quickly on the YubiKey site didn’t make any sense to me, so I spent some time playing around until I sussed it out
So let’s start again
Log in to one of the sites you have already done with the first key, Dropbox for example, Cancel the 2FA option and delete it from the app. Then start all over again.
This time when you get to the QR code to be scanned, scan it with the YubiKey authenticator app (as before) Save the site that’s just been added, by pressing the save button, you also need to re touch the phone with one of the keys to save it. Then RE SCAN the QR code again, this time save it again using the other key, it won’t add another login (there will only one instance Dropbox for instance on the app, but both keys will now work/be linked with it, don’t forget to validate the scanned QR with the 6 digit code shown on the app.
So scan, add it to the app, re scan add it to the app and validate the scanned QR with the 6 digit code being shown
Now when you open the YubiKey authenticator app again on the phone, either key will open it and show the stocked codes, FB, Dropbox etc
Certain sites such a Gmail, BitWarden use these keys, and in the settings, you can add as many as 5 or 6 keys directly on the site (Twitter only one), also certain don’t need the authenticator app or van use it as well, just rely on the key being connected directly the USB socket and being touched (there’s a little ‘touch pad’ on the key) to open the web site or app. That’s why I wanted one always next to the computer and the other with my keys in my bag or pocket near my phone
The authenticator app also works on a PC, in my case Linux. (a page explain how to get the app to work in Linux on my previous post)
As above, the key just needs to be plugged into the USB socket and touched when you start the program so that the codes are shown, the same principle as the app on the phone
So now two keys are working, so if ever you lose or break one, you have the other that can be used, giving you time to buy another, for info they are not expensive at around 50 euros. Note that is quite important as some apps, like the Yubikey authenticator CANNOT be used without a key.
Please don’t hesitate to leave any comments or critics, or suggestions if you find anything wrong.