Key Takeaways
- Enhance SSH security with a YubiKey
- Replace TOTP apps with a YubiKey
- Safeguard passwords with a YubiKey
YubiKeys have been on the scene for well over a decade now, and have slowly but surely been growing to support more and more use cases. YubiKeys offer a second hardware factor for authentication, requiring not only that a code or key is provided, but that the physical device is inserted as well. They even include a physical button, or biometric sensor on some models, to ensure that the device is physically touched and can't be remotely manipulated. Here are some great ways to make use of your YubiKey that you might not be taking advantage of yet.
5 Secure SSH with your YubiKey
Great for homelabs or cloud-resources
If you're a bit of a homelabber, have a home NAS or media server, or run servers in the cloud, one great use for your YubiKey is to add it as a second authentication factor to your SSH connections. This will require your YubiKey to be connected to the device initializing the SSH connection, and can require physical input or touch identification as well.
There are multiple ways to set this up, each with its pros and cons, outlined in Yubico's documentation. If you're just authenticating to a Linux server you control, we'd recommend using FIDO2, although there are other options. PGP keys can be generated on your YubiKey and used with OpenSSH, but FIDO is the easiest to set up. You'll want to generate a discoverable key, which means that your key can be used by any computer that it's inserted into, in order to generate an SSH key that resides on your YubiKey. You'll need to secure it with a pin. The generated public key will be stored on your computer, while the private key file generated is simply a reference to the actual private key, which is stored on your YubiKey.
There are some caveats to be aware of. At the time of writing, this wasn't supported on Windows, and the bundled version of OpenSSH on macOS disables this functionality.
4 Generate TOTP codes with your YubiKey
Replace authenticator apps with your hardware key
One of the best uses for a YubiKey is to replace your regular authenticator apps. Most two-factor authentication codes for websites and apps use a technology known as TOTP, or Time-Based One-Time password. This is the four or six-digit code generated by your authentication app when you log in to an app or website. TOTP works by saving a secret to your device (often encoded in a QR code), which works in conjunction with a hashing algorithm and a counter to generate time-based codes. In effect, this means that both your device and the server need to keep track of the counter, based on the current time, in order to be aware of which hashed value is valid at a given time.
While this is mostly done in authentication apps, your YubiKey is capable of generating these codes for you. It can even require hardware authentication (like biometric/touch) to do so. This is a great security improvement, since someone who has been able to remotely compromise the device your codes are on remotely would not be able to physically grant access (this is also why it's safest to keep your 2FA codes on a phone or mobile device, not on your laptop or PC.)
Not all YubiKeys support TOTP 2FA, but the documentation makes it easy to set up using the Yubico Authenticator desktop app.
3 Secure your password manager with a YubiKey
Add an extra step to your most valuable login
Password managers have been all the rage in recent years and have some big advantages to offer. Using them to generate a unique, random password for each website you visit can help protect against your passwords being lost in data breaches, and help simplify your online life by providing secure, cloud-synced access to all your passwords in a central location.
Most password managers require at least one second authentication factor (as well as a strong master password), and your YubiKey is perfect for this. I use Bitwarden, which offers easy integration (for enterprise or premium users) to incorporate the use of any recent YubiKey. Ensure you save your recovery codes somewhere safe though, as losing access to your second factor, i.e. losing your YubiKey, can leave you permanently locked out of your account. Due to how password managers like Bitwarden encrypt your data to limit their access to your passwords, there's nothing they can do once your account is locked, which could potentially leave you locked out of all of your accounts!
If you're self-hosting Bitwarden, fret not, YubiKeys are supported there too!
Your mileage may vary depending on your password manager, but most should support YubiKeys natively. If not, you can always use a TOTP code on your YubiKey in its place.
2 Secure your online accounts
It's easy to miss sites that support hardware keys
Source: Yubico
This one is a little obvious, but it's surprisingly easy to forget to set up your YubiKey on some websites. The list of supported sites is growing all the time. Some examples of how I've personally overlooked using my YubiKey would be to secure my iCloud, GitHub, and AWS IAM logins. Other common sites like Reddit, YouTube, and Instagram all have support, which can greatly help protect your logins.
It's worth reviewing the list of supported services (which is growing all the time) on Yubico's website. It's also worth taking some time, perhaps on a lazy Sunday, to double-check that you've saved recovery codes for your second factor on all of these sites. Remember, if your YubiKey is lost or stolen you'll no longer be able to access your login.
1 Secure your desktop logins
Great if you want some extra security on your devices
Source: Yubico
If you're concerned about the physical security of your device, this can offer some reassurance. Both macOS and Windows support using your YubiKey to log in to your local accounts, although there might be some caveats. Windows only supports login for local accounts, meaning that this is unsupported if your PC is set up with a Microsoft account (don't worry though, you can convert it reasonably painlessly).
On Windows, you'll need to install the Yubico Login Configuration app, which will register itself as a separate authentication provider. From there, you'll need to enter both your regular local account username and password, as well as insert your YubiKey. You won't need to press your YubiKey, and again, it's important to save your recovery codes.
macOS is simpler, allowing you to pair your YubiKey as a smart card in any version of macOS past High Sierra. You'll need to download the YubiKey Manager application, where there's a designated option to set things up for macOS. You'll need to set a pin. Your Mac will then ask you for your pin in the login field to authenticate with a YubiKey when locked. Unlike Windows, there are some significant caveats to setting your YubiKey as the only authentication method on macOS, so we don't recommend it. You'll still be able to use touch ID to log in, as well as your regular user password, so we recommend setting a strong password and keeping it somewhere safe (like a backup key).
YubiKeys are great for enhancing your security
YubiKeys are great for enhancing both your practical security and your own peace of mind. In today's world of seemingly endless threats and scares online, it can be reassuring to have something you physically own and control which keeps your accounts truly safe. We should note that YubiKeys, while some of the most popular and well-supported, aren't the only hardware keys available. Some alternative models can be cheaper and more accessible, though they may sacrifice some features.
We'd recommend everyone consider a YubiKey if you are looking to enhance your security online, especially if you want to get away from using your phone for annoying 2FA codes without sacrificing the security.