[cromantin]

I've been using Yubikey as my 2-nd factor password source for years. It's great. I would have even thrown away second factor if yubikey could have unlocked macos FileVault.

What's 2-nd factor password? Well, basically yubikey stores just long text string, and another, shorter string, is stored in my brain. When i login i enter short string, then press yubikey.

To steal my data you don't only need to steal yubikey but also get my part of the password from me.

[jakob223]

If you just use the yubikey to store passwords, though, then you're vulnerable to a https://en.wikipedia.org/wiki/Replay_attack .

[kelnage]

[-You would be correct if-] It seems you are correct when the protocol works as described in the parent comment.

[-But it so happens that the-] Of course in OTP mode, the YubiKey protocol protects against replay attacks by using a counter on the YubiKey. This (authenticated) counter value is included in the messages that are exchanged during the authentication - and hence any replays can be detected/ignored as the counter value will be less than or equal to the last received counter value.

Edit (deletions marked with [- -]): I had no idea people used modes other than OTP with their YubiKey...

[cromantin]

Unfortunately parent is right. What you describe is using generated one time passwords. But there is no way (to my knowledge) to incorporate 2nd string into it.

Ex: right now - myPass<boop the yubikey><long password from yubikey followed by linefeed>

with otp - myPass<boop><hashed and signed one time password that no nothing about myPass>

[kelnage]

Wow, I had no idea YubiKey offered that mode of operation. I had assumed it was purely used as a OTP. Do you know of any documentation for it?

[cromantin]

This was like 6 years ago :) If i remember correctly it was https://www.yubico.com/wp-content/uploads/2015/11/Yubico_Whi...

I had a blog post some time ago - https://varamashvili.blogspot.com/2012/09/using-yubikey-with...

I should note that currently i'm thinking to migrate to OTP and use brain-string (password that i remember) for filevault and mac login. I will try using OTP for sudo, maybe keychain, will try to add gpg subkey there and see how it'll go.

[cromantin]

Yes, i am. I would've used one-time passwords but there is no way to incorporate brain-string to it.

I've used it way before there were good solutions for mac. And my main concen was to unlock my machine.

I've would've ditched it if only filevault could be unlocked with it :(

I may ditch this in favor of one-time passwords any way - support on mac is pretty good now and filevault will be secured with 9 symbols string.