At my work both security as usability are important. But in all reality, those two are often conflicting. We are following new developments and insights around authentication mechanisms closely. Authentication mechanisms as two factor authentication is becoming more and more mainstream and accepted by a broader public, but is still not very easy to use for…for example… my parents in law. Last week we decided to take a closer look at the yubikey to find out if this device simplifies the use of a secure authentication mechanism for our users.

First impression

The yubikey is delivered in a plain brown enveloppe with the key itself in a plastic shrink wrap. No manual, no box…nothing except a small device easily confused with an usb memory stick. It feels fragile, also in when plugged in in an usb slot. This due to the fact the usb plug is not a full form factor usb plug, but the lightweight compact version. I could not help myself thinking: ok… and now?

But opening up the browser and googling for “ok, I got my yubikey and now what?” helps and points you to your first steps with your yubikey.

First use case

!! warning… don’t use the official how-to, but the instructions found here.

So the first use case I could think of was to configure the yubikey to secure my OS X installation on my macbook. I quickly found the overview page for OS X. The how-to uses however Macports. I deinstalled Macports ages ago in favour of Homebrew. But no problem… the needed yubikey binaries are also available on brew:

[merlijn@Erlkoenig:~]$ brew search yubikey


I followed all other steps in the how-to, rebooted my system… and locked myself out! I tried everything… but no way of getting back into my user account.


Off course I had only one person to blame…being myself. By installing the yubikey CLI tools with macports, the .so library is installed where PAM expects it. With using brew (and my brew is also “customised” by boxen PAM failed to find the needed .so library with myself locked out of my system as result.

The solution

Rebooting my macbook in recovery mode, mounting my disk (filevault protected) from disk-utility, opening terminal and remove the yubikey lines in /etc/pam.d/authorization restored my ability to log in again. The real solution was however to copy or symlink the .so to the place where pam expects it.

sudo cp /usr/local/Cellar/pam_yubico/2.19/lib/security/ /usr/lib/pam/

In fact… the whole official “how-to” should be replaced by the instructions as found here in this blogpost.

And slightly more complicated

So… authentication in OS X (for both loggin in as unlocking the screensaver) now works. Quite nicely to be honest. Passwords are only accepted when the yubikey is plugged in. Nothing more, nothing less.

I am using PGP for a while now (and way more actively from the time that a certain mr. Snowden fled the USA and distributed some powerpoints about security on the internet). So.. there is the 2nd usecase. Demand my yubikey being plugged in for signing and encrypting my emails.

Following the excellent instructions provided by Dennis de Greef, enabling ccid and moving my pgp subkeys to the yubikey was easily done. The user interface is a bit…clunky, but it works flawless.

U2F and Chrome

The next use case … two factor authentication. I am now a heavy user of the google authenticator on my iPhone, but just plugging in a yubikey and press the key… sounds promising. But… this workflow actually needs a certain kind of 2FA, called U2F.

  1. After successfully authenticating with a username and password, the user is prompted to present her U2F device to complete the login process.
  2. Next, the user inserts and presses a button on her U2F device, which sends a signed response back to the U2F Server.
  3. Once validated, the U2F Server passes this status back to the web application and the user is logged in.

Replace U2F device by yubikey and jeej… world domination! Not. For now U2F is only supported by the most recent builds of Chrome. I could force myself to use Chrome instead of Safari for yubikeys and U2F sake, but I doubt all of our users will.