Using YubiKeys for TOTP 2FA

I’m a big advocate for YubiKeys – I think they’re fantastic bits of hardware, but they’re also quite poorly understood and even people who do use them often don’t use the full set of features that these keys are capable of. I’m hoping to write a few posts about things you can do with YubiKeys, but the first one will be about using them to generate the 6 or 8 digit codes that you use for second factor authentication at an increasing number of websites and applications.

What is a YubiKey?

For those who don’t know, a YubiKey is a small hardware security token that looks at first glance like a USB memory stick. They can be used for a whole variety of security or cryptography focused tasks but are most commonly used as a second factor of authentication for applications or websites that support this.

The full list of their capabilities is pretty extensive, and I’m sure there are things they can do that I’ve not discovered yet, but some interesting ones are:

  • Generating TOTP 2FA codes, as I’ll discuss here.
  • Generating second factor codes with a tap of the gold disk on the key itself for applications using their proprietary Yubico OTP (One Time Password) algorithm. This is used by applications like LastPass.
  • Acting as a second factor for websites supporting the U2F/FIDO2 standard. This is a neat usage that I intend to write about more so I won’t focus on it too much here.
  • Generating and storing public/private key pairs which you can use for:
    • Encryption (such as encrypting emails with PGP)
    • Signing (such as signing Git commits to prove that you were indeed the author of them)
    • Authentication (using the keys generated to SSH into servers)
  • With the newest keys, using them for fully passwordless authentication – Microsoft accounts now support this on the latest version of Windows 10, and wider support for this cool new technology will hopefully be coming soon.

It’s also worth noting that the functionality you get with a key depends on the exact model you go for – if you’re not sure what you’re wanting to do with one and want to be able to do all of the above, the safest option is to opt for the YubiKey 5 NFC.

What is TOTP 2FA?

Whilst you might not know the technical name for it, you probably do know it in practice – if you’ve ever used an app like Google Authenticator, Duo, FortiToken or another vendor-branded app to generate a 6 or 8 digit code that changes every 30 seconds, then you’ve used TOTP.

TOTP stands for Time-based One Time Password and works exactly as it says on the tin – the code changes every 30 seconds and you provide this in addition to your password to a website. When you set it up originally, you’ll have either had to type in a string of characters or more likely scan a QR code which the app could then suddenly produce numbers from. The QR code is simply a visual representation of this string of characters to make it easy to enter into your device without making mistakes, and this string of characters is the secret key. Your code generator app and the website asking you for a code both know this secret key, and they both know how to apply an algorithm to the value which uses the current time to spit out a number. If you enter the code that the website is expecting, or one of a few on either side of the current time to account for clock skew between devices, the authentication will succeed.

This means that this QR code should be kept, well, secret. If I can scan it with my phone at the same time as you have it open to scan it with yours, both of our devices will generate exactly the same codes. This is beneficial for backup purposes, as you can keep an offline copy of the code or save it onto multiple devices.

Why use a YubiKey for generating 2FA codes?

So as we’ve just discussed, keeping this secret key secure is important. Keeping these secret keys on a YubiKey is a bit more secure than keeping them in an app like Google Authenticator as it’s much harder to steal keys off of a totally separate dedicated device than a device which can be infected with malware for example.

Another good reason is convenience. If you’ve ever had to move a whole bunch of 2FA codes from one phone to another when you upgrade your device, you’ll know how much of a hassle it is. If your keys are all on a separate device, there’s no need for that! YubiKeys are also more robust than phones – they’ll survive a spin in the washing machine or even being driven over without the risk of losing your 2FA codes.

There is also an argument that this is riskier as you’re more likely to lose a YubiKey than your phone. This is fair, but the simplest way to get around this is to have 2 YubiKeys – one that you carry with you, and one which you keep safe at home. Since the QR codes can be used multiple times to set up multiple devices, you can keep your backup key as essentially a clone of your everyday one.

Yubico Authenticator

So assuming you now want to put these codes onto a YubiKey, how would you go about that? Yubico make an app for desktop (Windows, Mac and Linux) and Android called Yubico Authenticator which you can find here.

Source: developers.yubico.com

This is a simple little app that lets you “scan” QR codes that are visible on your screen, or manually enter the secret key as a string if you’d prefer. You can see above that it lets you configure different options for the code generation – the algorithms used, the period of time at which it cycles etc. This can get complex but not to worry – this extra information is also included in the QR code that you can scan.

Once you’ve scanned a QR code with the app, it will generate the same 2FA codes for you to use as your phone once did. This process (both setup and subsequent use) requires that the YubiKey is inserted into your device because remember, the secret keys are stored on the YubiKey itself, and not on your PC or laptop.

This means that as long as you have your YubiKey and a device with the Yubico Authenticator app installed, you can access your codes when you need. The Android app requires that you either plug the YubiKey into the phone (with a USB OTG cable) or for the NEO or 5 NFC keys, you can tap it on the back of your NFC enabled smartphone and immediately see all of the codes appear in the app.

Wrap Up

This is hopefully a useful intro to one of the lesser known capabilities of YubiKeys. The YubiKeys that can support this (the 4 range, the NEO and the 5 range) can each store 32 separate secret keys on them, which should be more than enough for most people. It’s important to note that the cheaper Security Key devices, which are blue, cannot do this so don’t buy one of them unless you’re certain everything you’re wanting to use them for is supported.