The letter A styled as Alchemists logo. lchemists
Published June 1, 2021 Updated January 25, 2023
Cover
Universal 2nd Factor

Universal 2nd Factor (U2F) is an open security standard that simplifies and improves your personal security by only requiring a physical Universal Serial Bus (USB) key to authenticate with various services. Your USB key authenticates by issuing a challenge-response using public-key cryptography. If you have been using Two Factor Authentication (2FA), then U2F is an upgrade/evolution of that standard where you have physical hardware instead of dealing with the hassle of a constantly changing key stored an app like 1Password.

Depending on the type of U2F key you buy, you’ll also be able to use Near-Field Communication (NFC) to authenticate. NFC is handy with mobile devices, especially devices that might not have a USB-C port. When looking to buy a U2F key, I’d recommend picking USB-C with NFC support so you can hold your U2F key near your device to authenticate.

U2F, 2FA, WebAuthn, and much more is all part of Fast ID Online (FIDO) standard. There is a lot to unravel in this space but the purpose of this article is to focus on U2F in order to enhance your experience and improve your security.

Requirements

You’ll need the following to get started:

  • YubiKey 5C NFC - This is the hardware I’m using but any YubiKey should be fine.

  • YubiKey Manager CLI - Necessary to interface with and manage your YubiKey(s) from the command line. If using Homebrew, this manager can be installed via: brew install ykman.

I recommend purchasing two keys so you’ll have a primary and backup key. Having a backup key is important because if you lose your primary key, it becomes nearly impossible to get into the services associated with your keys.

💡 As a side note, there is also support for YubiKey Bio keys which use biometric data (i.e. fingerprint) to verify who you are. These biometric keys don’t support NFC at the moment so depending on your needs you might want the convenience of NFC for mobile access or forgo that entirely and use the bio keys.

Setup

There are several steps necessary for properly setting up your new keys and you’ll want to repeat this process for both keys by configuring your Personal Identity Verification information. Additional documentation is provided by YubiKey.

Personal Identity Verification (PIV)

Getting started with the PIV is as simple as running:

ykman piv access

You should then see the following output:

Usage: ykman piv access [OPTIONS] COMMAND [ARGS]...

  Manage PIN, PUK, and Management Key.

Options:
  -h, --help  Show this message and exit.

Commands:
  change-management-key  Change the management key.
  change-pin             Change the PIN code.
  change-puk             Change the PUK code.
  set-retries            Set the number of PIN and PUK retry attempts.
  unblock-pin            Unblock the PIN (using PUK).

Feel free to explore and check out the documentation by using --help after any one of these commands.

Personal Identification Number (PIN)

The first thing you’ll want to do is change your PIN. Example:

ykman piv access change-pin --pin 123456 --new-pin <redacted>
New PIN set.

The default PIN is 123456. You can use a mix of alpha-numeric and special characters for your new PIN but the YubiKey documentation recommends sticking with digits only for compatibility on older systems. The max number of characters you can use is: 8. I’d recommend using the max length and storing this in your password manager.

PIN Unblocking Key (PUK)

After setting your PIN, you’ll want to set your PUK by changing the default value of 12345678. This will allow you to recover your PIN should you forget it or use up the max number of retries (default: 3).

ykman piv access change-puk --puk 12345678 --new-puk <redacted>
New PUK set.

Like with your PIN, make sure to save your new PUK key in your password manager too.

Management Key

Finally, you’ll want to set your management key.

ykman piv access change-management-key --protect --touch --management-key 010203040506070801020304050607080102030405060708 --pin <redacted>

As shown above, I’m changing the default value to a randomly generated value that will be stored on my YubiKey, protected by my PIN, and requires being touched when used. Alternatively, you can forgo using your PIN and supply a 32 byte value for your new key instead.

iOS

You can also register your YubiKeys if using iOS 16.3.0 or higher by following these quick steps to get setup:

  1. Open Settings.

  2. Tap on your profile.

  3. Tap on Password & Security.

  4. Tap on Add Security Keys.

  5. Tap Continue and enter your iOS passcode.

  6. Follow the prompts to add your primary and secondary keys. Since my keys have NFC support, holding each up to the top of the phone was all I needed to recognize each one after the other.

That’s it. You can also confirm your keys are configured by logging into your Apple ID but you’ll need to use Safari to do this (didn’t work on Firefox for me, at least).

Services

Now that your YubiKeys are set up and secure, you’ll want to learn how to setup your keys for use with your favorite services. You’ll be able to browse through a list of supported services. Here’s a sample:

  • Amazon Web Services (AWS) - Log into your account, click on Security credentials, scroll down to the Multi-factor authentication (MFA) section, and click on Assign MFA device. From here you can add your primary and secondary keys.

  • Discourse - Once logged into your account, click on your profile, Preferences, Security, and Manage Two-Factor Authentication to add your U2F keys.

  • Fastmail - Log into your account, click on Settings, and Password & Security to add your new keys.

  • GitHub - Details.

  • Google - Once logged into your account, click on Security, 2-Step Verification, and add your U2F keys.

Updating existing services to use Universal Two Factor (U2F) is quick and easy. All of them let you label each of your keys as you register them. I opted to color code and register my keys as follows:

  • Primary (red)

  • Secondary (black)

Firmware

YubiKey’s can’t be upgraded so you are stuck with whatever version was installed when you bought your keys. To find version and general information, you can run ykman info to see something along the lines of the following:

Device type: YubiKey 5C NFC
Serial number: <redacted>
Firmware version: 5.2.7
Form factor: Keychain (USB-C)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.

Applications  USB           NFC
FIDO2         Enabled       Enabled
OTP           Enabled       Enabled
FIDO U2F      Enabled       Enabled
OATH          Enabled       Enabled
YubiHSM Auth  Not available Not available
OpenPGP       Enabled       Enabled
PIV           Enabled       Enabled

Limitations

There are some limitations. One of which — as mentioned above — is when it comes to upgrading the firmware on your device. Currently, this isn’t possible.

The other limitation is that your YubiKey can only hold up to 25 passkeys. Thankfully, Yubico is planning to increase this limitation in the future but that will require new hardware.

Accessories

Should you want to accessorize your U2F key, the following may or may not be of interest:

Resources

The following might be of interest for those wishing to spend some time manually configuring your machine to support U2F keys:

Conclusion

I’m enjoying the both the increased security and reduced hassle of using 2FA. I do wish I could use my Apple Watch as my primary U2F key instead of carrying both my watch and YubiKey. Maybe at some point in the future, this will become a reality. For now, I’m happy to make it harder to gain access to any of my accounts and hope you make the switch as well!