So you got yourself a YubiKey. Congratulations, you are now on your way to becoming a member of a very special (and kind of lame) group of people who take their online security seriously!! But there a bunch of tips I wish I had known before getting a YubiKey that I thought I should share:
This article is going to assume you are using a YubiKey 5 Series and have access to either a Windows 10 or MacOS machine. Some of these tips will work also for the basic YubiKey Security Keys but if you are reading this article before you make a purchase, I highly recommend a 5 Series key if only to gain access to the YubiKey Authenticator app. Also most of these instructions should work on Linux but may not work with Chromebooks just because how Chrome OS handles USB devices is still a little finicky.
Finally this article is not going to go into advanced topics like how to use OpenPGP with your YubiKey. My goal is to try to break down the early steps for a moderately technical person on how to set up your YubiKey 5, not how an IT professional could use it for their entire workday. So if you are an influencer, social media marketing specialist, developer, or just someone who wants to take their online security a little more carefully, keep on reading.
Make sure you have at least two keys
I am not alone in saying you should have multiple keys. The conventional wisdom with security keys is that you should have one key with you at all times and the other in a safe space like a bank vault. But when I first heard this whole mishegas of having two keys I thought it was just a ploy to sell more keys!! Eventually I did realize there are three good reasons to buy two keys:
- You lose one of your keys.
- Different form factors for all sorts of devices.
- All hardware fails.
I think the last one is probably the biggest reason to buy two keys. Yes YubiKeys are notoriously awesome when it comes to durablilty but all hardware fails at some point!! So getting two keys off the bat and making sure all your accounts are on both keys makes sense to me if that hardware fails. The key is (pun intended) to make sure you rotate your primary key every so often like once a month with your backup key to make sure they both work and you didn’t accidentally forget to put one of your online accounts onto your backup key.
Bookmark the YubiKey Verification site
You want to bookmark this site: https://www.yubico.com/genuine/ and you might want to start there when you first get your keys. If you are super paranoid, this site should help ease your mind that the key in your hand is in fact a genuine YubiKey. The second reason to bookmark that site is a little more convoluted and definitely is an extreme edge case. But I have unfortunately done the wrong thing when I came upon this case so please learn from my mistake.
When you are using your YubiKey for WebAuth verification, there are two for the developer of the website to set this up: with user verification and without user verification. If the developer did turn on this setting, that means you will be asked to enter your FIDO2 pin (more on pins in the next section) everytime you use your key. This is not a setting you as the user have much control over. The problem is that sometimes a developer can turn on this setting by accident and doesn’t actually know how to handle the pin so it just keeps rejecting the key as you try different pind because perhaps you think you know your pin but maybe not kind of a thing. The problem is that you as the user are certain of your pin so you keep entering it in but if you do that 10 times then the key locks itself. And this isn’t a lock for a couple of hours and you can try again, this is a permanent lock.
So if you run into a website that asks for your WebAuthn pin and you enter it once but it rejects your key, do not enter it again into the same website. Instead go to the Yubico Website and test your key there to make sure you actually remember your pin. Yubico is pretty good at building WebAuthn stuff (I mean they did invent it after all) so check that site first so you can make a better assessment on what might be going on.
Change the default pins using the YubiKey Manager
You will want to visit https://www.yubico.com/support/download/yubikey-manager/ and download the YubiKey manager. There is no default FIDO2 pin so you will want to set that up in case you need it later. If you are using Windows, you might need to run YubiKey Manager as an administrator. To set a pin, go to Applications and then FIDO2 to set your pin.
Another pin you might want to set is the pin for PIV. In all likelihood you might not need this smartcard setting but the default pin is 12345678 which isn’t great and just feels wrong to leave it like that. To change it, go to Applications->PIV->Configure PINs->Change PUK. Like I said this is an optional thing to do unless you know for certain you will use the PIV then it should be mandatory.
Configure YubiKey OTP
So I sometimes leave my YubiKey in my computer, accidentally graze the button and bam ccccccrrcvvnjvjuelkdfcgluhueiejjrrflllitthck all this gibberish shows up. This is because the OTP codes are accidentally getting triggered by a short touch. Why is OTP the default short touch? I have no idea. But you can change it pretty easily inside the YubiKey Manager app. These are the official instructions but below is tldr https://support.yubico.com/hc/en-us/articles/360013714379-Accidentally-Triggering-OTP-Codes-with-Your-Nano-YubiKey
In the YubiKey Manager, go to Applications->OTP and select swap from Short Touch to Long Touch. That’s it!! The OTP setting still works, you just have to press the button for about 3 seconds now.
Set the password for the YubiKey Authenticator app
YubiKey Authenticator is one of my favorite parts of YubiKeys!! I wish all websites supported WebAuthn but until that day, authenticator apps are not going anywhere for MFA. So first download the appropriate app for you https://www.yubico.com/products/yubico-authenticator/ and then go to settings in the app to set a password for your key. The reason you will want to password protect your key is just in case someone tries to “borrow” your key to steal some credentials. It should be noted that the PINs you set before and this password are completely different. So just because you think you know one of those PINs/passwords doesn’t mean you know them all.
The longer explanation can be found here: https://support.yubico.com/hc/en-us/articles/360013789259-Using-Your-YubiKey-with-Authenticator-Codes along with how to use the app but I will be writing a more condensed version of how I use the Yubico Authenticator apps.
So yeah, that’s about it when it comes to setting up your first YubiKey. Have fun and welcome to being a member of the initiated!!