
Universal 2nd Factor (U2F) is an open security standard that simplifies and improves your personal security by only requiring a physical Universal Serial Bus (USB) key to authenticate with various services. Your USB key authenticates by issuing a challenge-response using public-key cryptography. If you have been using Two Factor Authentication (2FA), then U2F is an upgrade/evolution of that standard where you have physical hardware instead of dealing with the hassle of a constantly changing key stored an app like 1Password.
Depending on the type of U2F key you buy, you’ll also be able to use Near-Field Communication (NFC) to authenticate. NFC is handy with mobile devices, especially devices that might not have a USB-C port. When looking to buy a U2F key, I’d recommend picking USB-C with NFC support so you can hold your U2F key near your device to authenticate.
U2F, 2FA, WebAuthn, and much more is all part of Fast ID Online (FIDO) standard. There is a lot to unravel in this space but the purpose of this article is to focus on U2F in order to enhance your experience and improve your security.
Requirements
You’ll need the following to get started:
-
YubiKey 5C NFC - This is the hardware I’m using but any YubiKey should be fine.
-
YubiKey Manager CLI - Necessary to interface with and manage your YubiKey(s) from the command line. If using Homebrew, this manager can be installed via:
brew install ykman
.
I recommend purchasing two keys so you’ll have a primary and backup key. Having a backup key is important because if you lose your primary key, it becomes nearly impossible to get into the services associated with your keys.
💡 As a side note, there is also support for YubiKey Bio keys which use biometric data (i.e. fingerprint) to verify who you are. These biometric keys don’t support NFC at the moment so depending on your needs you might want the convenience of NFC for mobile access or forgo that entirely and use the bio keys.
Setup
There are several steps necessary for properly setting up your new keys and you’ll want to repeat this process for both keys by configuring your Personal Identity Verification information. Additional documentation is provided by YubiKey.
Personal Identity Verification (PIV)
Getting started with the PIV is as simple as running:
ykman piv access
You should then see the following output:
Usage: ykman piv access [OPTIONS] COMMAND [ARGS]... Manage PIN, PUK, and Management Key. Options: -h, --help Show this message and exit. Commands: change-management-key Change the management key. change-pin Change the PIN code. change-puk Change the PUK code. set-retries Set the number of PIN and PUK retry attempts. unblock-pin Unblock the PIN (using PUK).
Feel free to explore and check out the documentation by using --help
after any one of these
commands.
Personal Identification Number (PIN)
The first thing you’ll want to do is change your PIN. Example:
ykman piv access change-pin --pin 123456 --new-pin <redacted>
New PIN set.
The default PIN is 123456
. You can use a mix of alpha-numeric and special characters for your new
PIN but the YubiKey documentation recommends sticking with digits only for compatibility on older
systems. The max number of characters you can use is: 8. I’d recommend using the max length and
storing this in your password manager.
PIN Unblocking Key (PUK)
After setting your PIN, you’ll want to set your PUK by changing the default value of 12345678
.
This will allow you to recover your PIN should you forget it or use up the max number of retries
(default: 3).
ykman piv access change-puk --puk 12345678 --new-puk <redacted>
New PUK set.
Like with your PIN, make sure to save your new PUK key in your password manager too.
Management Key
Finally, you’ll want to set your management key.
ykman piv access change-management-key --protect --touch --management-key 010203040506070801020304050607080102030405060708 --pin <redacted>
As shown above, I’m changing the default value to a randomly generated value that will be stored on my YubiKey, protected by my PIN, and requires being touched when used. Alternatively, you can forgo using your PIN and supply a 32 byte value for your new key instead.
iOS
You can also register your YubiKeys if using iOS 16.3.0 or higher by following these quick steps to get setup:
-
Open Settings.
-
Tap on your profile.
-
Tap on Password & Security.
-
Tap on Add Security Keys.
-
Tap Continue and enter your iOS passcode.
-
Follow the prompts to add your primary and secondary keys. Since my keys have NFC support, holding each up to the top of the phone was all I needed to recognize each one after the other.
That’s it. You can also confirm your keys are configured by logging into your Apple ID but you’ll need to use Safari to do this (didn’t work on Firefox for me, at least).
Services
Now that your YubiKeys are set up and secure, you’ll want to learn how to setup your keys for use with your favorite services. You’ll be able to browse through a list of supported services. Here’s a sample:
-
Amazon Web Services (AWS) - Log into your account, click on Security credentials, scroll down to the Multi-factor authentication (MFA) section, and click on Assign MFA device. From here you can add your primary and secondary keys.
-
Discourse - Once logged into your account, click on your profile, Preferences, Security, and Manage Two-Factor Authentication to add your U2F keys.
-
Fastmail - Log into your account, click on Settings, and Password & Security to add your new keys.
-
Google - Once logged into your account, click on Security, 2-Step Verification, and add your U2F keys.
Updating existing services to use Universal Two Factor (U2F) is quick and easy. All of them let you label each of your keys as you register them. I opted to color code and register my keys as follows:
-
Primary (red)
-
Secondary (black)
Firmware
YubiKey’s
can’t
be upgraded so you are stuck with whatever version was installed when you bought your keys. To find
version and general information, you can run ykman info
to see something along the lines of the
following:
Device type: YubiKey 5C NFC Serial number: <redacted> Firmware version: 5.2.7 Form factor: Keychain (USB-C) Enabled USB interfaces: OTP, FIDO, CCID NFC transport is enabled. Applications USB NFC FIDO2 Enabled Enabled OTP Enabled Enabled FIDO U2F Enabled Enabled OATH Enabled Enabled YubiHSM Auth Not available Not available OpenPGP Enabled Enabled PIV Enabled Enabled
Limitations
There are some limitations. One of which — as mentioned above — is when it comes to upgrading the firmware on your device. Currently, this isn’t possible.
The other limitation is that your YubiKey can only hold up to 25 passkeys. Thankfully, Yubico is planning to increase this limitation in the future but that will require new hardware.
Accessories
Should you want to accessorize your U2F key, the following may or may not be of interest:
-
YubiStyle Cover - Red - A/C NFC - Yubico offers several colors and patterns to choose from.
-
PocketBands - Been using this for a while and really like it in terms of low profile, easy access, and convenience.
Resources
The following might be of interest for those wishing to spend some time manually configuring your machine to support U2F keys:
-
Beyond Passwords: 2FA, U2F and Google Advanced Protection - A detailed article that’ll walk you through 2FA and U2F security.
-
YubiKey for SSH, Login, 2FA, GPG and Git Signing - Walks you through using your U2F key for operating system login, SSH, GPG, and more.
Conclusion
I’m enjoying the both the increased security and reduced hassle of using 2FA. I do wish I could use my Apple Watch as my primary U2F key instead of carrying both my watch and YubiKey. Maybe at some point in the future, this will become a reality. For now, I’m happy to make it harder to gain access to any of my accounts and hope you make the switch as well!