Yubikey

The Yubikey 5C Nano is what is primarily used across my development environment. It serves these primary purposes:

1. Holds PGP keys for signing git commits and for working with pass
2. WebAuthn for various services
3. Provides 2FA for my SSH keys

OpenPGP

The Yubikey acts as a smart card that is compatible with OpenPGP standards. It can hold various PGP keys for signing, encrypting, and authenticating. The keys are held on the device itself, thus securing them away from prying eyes on the local system.

The keys on the Yubikey are not generated by the Yubikey itself, nor does the Yubikey actually contain the primary key. The primary key is stored securely offline in a double-encrypted USB drive and is used in an offline environment to generate subkeys which are then transffered to each of my Yubikeys. See the gpg section for more details.

WebAuthn

This field of technology can become quickly debilitating in the number of acronyms at play. Some years ago Yubikey and Google created Universal 2nd Factor (U2F) authentication based off of existing work done by the FIDO alliance. U2F contains it's own implementation of Client to Authenticator Protocol (CTAP) which supported token authentication through various schemes (i.e., NFC).

FIDO2 has been recently developed as a replacement of U2F and it builds on the existing capablities of CTAP. FIDO2 officially uses CTAP2. The goal of FIDO2 was to move beyond 2FA and start to implement passwordless authentication. The web API for interacting with this new standard is called WebAuthn. This new API provides a universal gateway into what have been otherwise segregated technologies and is backwards compatible with older standards (i.e. U2F/CTAP).

No additional setup is required to use a Yubikey with WebAuthn.

SSH

Newer version of OpenSSH have introduced support for using FIDO U2F as a second authenticator when using SSH keys. Older methods of using a Yubikey with SSH often relied on letting the gpg-agent handle SSH connections and then using the OpenPGP keys stored on the Yubikey itself. This was difficult to setup, manage, and maintain.

A new SSH key can be generated, backed by a Yubikey, with the following:

ssh-keygen -t ed25519-sk

The -sk is what was recently added and denotes this key is also encrypted with a hardware token. You'll be prompted to tap your Yubikey to retreive a token and will also be prompted to set an additional passphrase. It's highly recommended to add the additional passphrase and use ssh-agent to manage it.

A normal private/public key will be created on your local system. It's important to note that this process does not store the private key in the Yubikey itself. To maintain the idea of two factor authentication, it's necessary for the private key to be separate from the device actually generating the second factor authentication. The benefit added is that an attacker must steal both the local private key as well as somehow obtain the token from the Yubikey (as opposed to just stealing the physical key and gaining SSH access). Additionally, with the added passphrase, the attacker must know three distinct secrets.

Resources

• Documentation
• YubiKey Manager Documentation (ykman)
• GNuPG
• SSH Guide