How To Use Your YubiKey For TOTP Codes

Add extra security to your 2FA codes by securing them on a physical hardware device Source: Unsplash YubiKeys are one of the best ways to secure your online life. Widely … Read more

Taylor Bell

Taylor Bell

Published on May 10, 2024

How To Use Your YubiKey For TOTP Codes

Add extra security to your 2FA codes by securing them on a physical hardware device

Image of a Yubikey

Source: Unsplash

YubiKeys are one of the best ways to secure your online life. Widely adopted by enterprise and consumers alike since their launch in the late nineties, these hardware tokens can help take two-factor authentication (2FA) away from your vulnerable mobile phone, while also offering the peace of mind that a physical key provides. But support for YubiKeys is not ubiquitous, and while many important apps and websites offer FIDO YubiKey support, not all do. Luckily, there’s another way to go about using them.

How to use your YubiKey for TOTP codes

TOTP codes are normally barcodes or QR codes that you scan

Image of a yubikey on a table.

Source: Unsplash

You might not realize you can use your YubiKey for TOTP codes, and I wouldn’t blame you. It’s easy to wonder how on earth you could get a QR code on a YubiKey. Those QR codes you see are really just an encoded secret, which gets used as a value in an algorithm which generates a sequence of keys. This sequence is based on time, giving you the information you need for changing authenticator codes every 30 seconds in an app like Authy or Google Authenticator. This is known as OATH-TOTP.

Your YubiKey supports this, and all we need to do is extract that secret value and load it up onto your YubiKey for later use. You can then use your YubiKey to generate these tokens on request, and additionally require a physical hardware touch to prevent a compromised device from leaking your TOTP codes.

Unfortunately, not all YubiKeys support loading OATH-TOTP codes, so you’ll need to check your key’s compatibility on YubiKey’s website.

What websites support OATH-TOTP?

Most regular 2FAs which don’t rely on email or text messages for a code are using TOTP. They will ask you to download a bespoke app (like Facebook, Google Authenticator, or Microsoft Authenticator) or use a generic two-factor TOTP app (like Authy) to scan a QR code. Some of these apps directly expose the data contained in the QR code, giving you a string of characters to paste into your app if you’re unable to scan the code, but others don’t.

Setup your YubiKey for TOTP codes

We’ll be doing this process on macOS today, but the process is largely similar on Windows. You’ll need to have a supported YubiKey, and the Yubico Authenticator app downloaded. Note that there are also mobile versions for supported YubiKeys using lightning or USB-C. The mobile version would be different from the YubiKey Manager app we’ve used before to set up logging into your desktop with your YubiKey.

Follow the steps below to set up TOTP codes on your YubiKey.

  1. Download YubiKey Authenticator for your platform from YubiKey’s Website. You can also install it through the macOS or Windows app store, or your mobile app store.
    Yubico-Authenticator

    Source: Yubico

  2. Once downloaded, open up YubiKey Authenticator and connect your YubiKey.
    Yubikey-totp setup

  3. In the sidebar, select Accounts followed by Add account.
    Screenshot showing where to add an account to your Yubico Authenticator.

    Source: Yubico

  4. You’ll then be asked whether to scan a QR code or add a key manually. If you’re on a mobile device, you can scan a QR code. Alternatively, go ahead and paste your code in manually.
    Yubikey-totp setup

    Yubico Authenticator has a cool party trick here for macOS and Windows users. If your QR code is visible on your computer screen, you can press Scan QR Code and it will actually read it from your screen. Alternatively, you can save your code to a file (or screenshot it) and drag the image into the window. Both methods worked great for me on macOS.

  5. You’ll be asked to confirm some details. If entering a code manually, you’ll be asked to provide an account issuer and account name. These won’t affect the function of your QR code.
    Yubio-authenticator-3

  6. We’d also suggest you tick Require touch at this point, for extra security. Once done, press Save.
    Screenshot highlighting the require-touch element of TOTP.

  7. Your account will now be visible on your list of accounts. Select your account and press Calculate to generate a new code.
    Yubico-totp

  8. You’ll be asked to touch your YubiKey for authentication.
    Yubico-touch

  9. A time-limited key will then appear. Enter this into your application to validate your token and save your TOTP key.
    Yubico-TOTP-2

Your YubiKey does have a limit on how many accounts it can register. For example, the YubiKey 5 is limited to 32, so that might be something to keep in mind if you’re seeing a “No space available” error. You can additionally register up to 25 FIDO2 hardware passkeys.

Is storing your TOTP codes on your YubiKey more secure?

There’s a serious security benefit to storing your TOTP codes on your YubiKey, but particularly when you Require touch when setting things up. By requiring touch, your YubiKey protects your TOTP codes against a compromised machine, unlike conventional authenticator apps which waive the second-factor if the host device is compromised. For example, if you were using Authy locally on your laptop and an attacker was able to compromise your machine, they could further compromise any two-factor protected accounts by stealing your password and using your local Authy to generate TOTP codes. This would be impossible with a YubiKey that requires touch, since the attacker would be unable to physically generate a touch to trigger the YubiKey.

This scenario might seem far-fetched, but if you’re a professional in certain high-risk industries, the dangers here can be very real. A similar compromise with an employee machine actually caused a LastPass breach last year.

Yubico Authenticator has great mobile support

One nice thing about having a YubiKey is that many have mobile support. If you have a Lightning or USB-C key (or even just a dongle), you can download Yubico Authenticator for your mobile device and store TOTP codes there. This is great for protecting your essential accounts, and there are plenty of YubiKey models which will sit well on a key ring, but does highlight some risks of using a YubiKey.

Image of a Yubikey

Related

Here’s five great uses for your YubiKey

Thinking of enhancing your security with a YubiKey? Here’s how to get maximum value.

Yubico Authenticator is great – but save your backup codes!

Yubico Authenticator is great, and is a tangible improvement to security. It also allows you to securely use your main device as a second-factor, without worrying about a compromise that could potentially expose all of your TOTP codes. There are some dangers to be aware of though. It’s essential that you save backup and recovery codes for your Authenticator, because if you were to lose or break a YubiKey, there’s no way to recover those codes. Similarly, it’s important to ensure that the security of the device that is using your YubiKey is well protected. Ensure that your computer running Yubico Authenticator has a strong password, and optionally set a password or passcode on each of your TOTP codes for added security.

YubiKeys are a great addition to your security posture, and can be a relatively cheap investment that we’d suggest for everyone. Just ensure that you prepare for the worst and have backups of your TOTP codes and recovery codes in a safe, accessible location.

Partager cet article

Inscrivez-vous à notre newsletter