We've got quite a few questions regarding the dual configuration feature introduced with Yubikey 2. Apparently, the quick introduction was not that self-explanatory
The background is the large number of users who want to use their Yubikey for multiple purposes, primarily an OTP based service and also for legacy login (long static password).
We therefore created the dual configuration feature, where each Yubikey 2 effectively acts as two Yubikey 1s. The two independent and identical configurations can be managed by two different “owners”, each configuration having its own configuration protection password.
There have been lengthy discussions how to best select which configuration that is to be used when the button is pressed. Everything (?) seems to have been up - multiple buttons, optional client software, double-tapping, Morse-like tapping…
We finally decided to go for the short and the long button press. This had the implication that we need to change the current behavior slightly. With the Yubikey 1 where only one configuration is available, holding the key for more than 0.5 seconds triggers the OTP release. In the case of a multi-use, the distinction between a short and a long press has to be done when the key is released. This means: hold – wait – release and the OTP is emitted. A short press is set to be 0.3 to 1.5 seconds. A long press is set to be 2.5 to 5 seconds. This means that holding and releasing after 2 seconds won’t trigger anything. We believed it was a good idea to have a “window” between the short and long time to foster the correct behavior.
We’ve got a few comments and it seems like our users likes it. We’re of course keen to get more feedback. If there is anything that should be changed, be made configurable or be made in an entirely different way, we’ll consider it.
For the people who are not interested in the dual usage, we decided to make the default behavior where only one configuration exists to be exactly like with Yubikey 1. Just hold and wait until the OTP appears. (A short press-wait-release will work as well). This means that no information is needed for users who are used to the Yubikey 1 and get a Yubikey 2 as a replacement.
The Press-wait-hold behavior is enabled when the second configuration is set. If only the second configuration is set, it will be triggered by a press-wait_long-release action.
Finally, we anticipated that some people who don’t care about a second configuration might be upset that there is suddenly a possibility open to change the behavior of the Yubikey by writing to the second configuration. If this is a concern, a new flag has been introduced that allows the “owner” of configuration #1 to prevent configuration #2 from being set or changed. Conversely, we’ve added a possibility for the “owner” of configuration #2 to prevent the “owner” of configuration #1 from blocking/locking its configuration by setting this bit. We believe this should make everyone happy.
In summary, we believe we’ve got a good functional enhancement without sacrificing usability or increasing production cost. There is however “hundred ways to skin a cat” and there may be things that we should improve or change as time goes by.
All feedback is highly appreciated.
The complete Yubikey 2 documentation is available at http://www.yubico.com/files/YubiKey_manual-2.0.pdf
With the best regards,
Hardware- and firmware guy @ Yubico