Skip to content

Programming the Yubikey for Time based One Time Passwords.

ldrumm edited this page Mar 25, 2015 · 2 revisions

Pre-requisites

  • Check your service provider supports Time-based One-Time Passwords First of all, decide which service you want to use with 2-factor authentication, and check if the hostmasters support rfc6238. See also Wikipedia for a good overview of TOTP, including a list of major internet estates supporting this method of 2FA.

  • Check your Yubikey Model supports challenge response mode. See [This page] and check that your hardware reads "Yes (assisted)" for "OATH – TOTP (TIME)" in the comparison table.

  • Check you have a free slot The standard Yubikey has two slots available. Slot 1 is factory-preprogrammed to emit Yubikey's special OTPs, but slot 2 is un-populated. Either can be programmed, but you need to check you're not erasing an important slot.

  • Load your service provided secret key into your chosen Yubikey slot. The steps here vary from provider to provider. Typically, they look something like this:

Programming the device

  1. Find the 2FA section of your provider's account settings. This varies from one provider to the next.
  2. Follow the instructions for adding 2FA based on Time-based passwords (for gmail users, choose "Google Authenticator app", and the when presented with a barcode, select "Can't scan the barcode?" to reveal your secret key)
  3. In Yubikey-TOTP-Gui, select Edit ⇒ Program Yubikey for TOTP...
  4. Select your chosen slot.
  5. Select whether you require the button to be pressed on the device, or whether the machine can request a code at any time. (Button press required)
  6. Select Program, and then follow the confirmation instructions.
  7. Your service provider will likely require you to generate a new code from the device before enabling 2FA.
Clone this wiki locally