Yubico Forum

Just curious, if it is press and release in less than 1.5 secs for one kind of code and hold for 2.5-5 secs for the other how can one tell if you have held down long enough to generate a second configuration OTP? What happens if you hold down for longer than 5 seconds?

The new YubiKey 2.0 provides an interesting feature. For the static password configuration, if the "Allow user to manually update using the button" option is selected from the new personalization utility, users can reprogram their YubiKeys on the fly if the YubiKey button is pressed for 6-8 secs. If this option is not selected, the YubiKey will just rapidly flash for a while and nothing will be emitted from the YubiKey. For more information about all the new features added in the YubiKey 2.0, please visit the following link:

http://www.yubico.com/developers/personalization/

How do you update with pressing 6 seconds?

First of all, the key needs to be configured for static mode (CFGFLAG_STATIC_TICKET flag set). Secondly, the new flag CFGFLAG_MAN_UPDATE needs to be set.

The keys that we send out does not have this feature enabled as they are all configured in OTP mode to work with the Yubico validation server.

You can easily try out this new function by downloading the new personalization tool and try with configuration #2, thereby keeping configuration #1 to still work with the Yubico validations service.

Again - this feature only works on Yubikey 2 !

1. Fire up the configuration tool
2. Select "Create a static Yubikey configuration"
3. Basic mode is okay to start with for testing. Check the box "Allow user to manually update"
4. Just go for next until you get to programming.
5. Select "Write to configuration 2"
6. Insert the key and press Run
7. When acknowledged, the key is ready to use.

A short press (0.3-1.5 seconds) yields the default (configuration 1) output.
A long press (2.5 - 5 seconds) yields the newly created static output (configuration 2).

Try the second a couple of times and you'll (hopefully) see that the output is all the same.

Now, press and hold the key for 8-15 seconds and release it. The LED shall now begin to flash slowly. Give it a short press and the update is committed and the new OTP is yielded.

A typical usage scenario could be:

1. Give user a Yubikey configured with the flags CFGFLAG_STATIC_TICKET and CFGFLAG_MAN_UPDATE set.
2. The password policy is cranked up with a minimum length
3. When the user is asked to change password next time, the normal username is entered
4. In the password field, the old password is entered
5. The user is asked to enter a new password. The new password poliicy now apply
6. The user types in the password and holds the Yubikey button for 10 seconds and releases. The newly created password is outputted
7. Enter the password again. Press 3 seconds and release. The new password is confirmed.

The reason why this function is created is to support legacy login without any need for any back-end functionality. It is ny no means perfect, but seems to fulfill quite a few user's need for enhanced security at a very low implementation cost.


With the best regards,

JakobE
Hardware- and firmware guy @ Yubico

So from this what I understand is;

When I press the key for 8 seconds it will change the static password and write itself with the new password.

How about if i want to setup a manual password lets say hellothisismyrandomunhackablepassword ?

Can we do that?

The new personalization utility provides an feature of programming the YubiKey 2.0 with keyboard scan code input for static password configuration. The scan code mode provides a mechanism to generate a string based on any arbitrary keyboard scan code.

Select the "Scan ccode mode" under the the "Create a static Yubikey configuration" and place the cursor in the "Scan code input" field and type the desired string. The keystrokes are converted to scan codes and YubiKey is programmed accordingly. When YubiKey button is pressed, the YubiKey will generated the string entered in the "Scan code input" field. This way we can program the YubiKey to emit the desired password.

Please note that this feature is available only for YubiKey 2 only, maximum 16 characters are allowed and this mode may create incompatibilities if different national keyboard layouts are used as the mapping varies between countries.

Can the static short password (16 characters) be reprogrammed using the 10 second button press? I cannot get this to work on my key even though I have clearly switched on the "manually update using the button" setting. I press the button for 3 seconds and get a 16 character static password. I then hold it for 10 seconds, release it and the ring flashes rapidly for 2-3 seconds. A brief press during the rapid flash does not change the static password.

If it makes any difference I have upper/lower case set as well as characters/numbers.

Thanks for bringing up this matter. It is a bug in the configuration tool that only shows up in truncated (short = 16 character) mode.

We'll post an updated version of the config tool soon.

Regards,

JakobE
Hardware- and firmware guy @ Yubico

Thanks Jakob

I presume that when the config tool has been updated, I will be able to program my key to allow the password to be regenerated with a 10 second press. Are you able to say when the config tool will be updated please?