Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:04 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 11 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Tue Jul 14, 2015 7:32 pm 
Offline

Joined: Sat Jul 11, 2015 3:11 pm
Posts: 8
From some of the things I've read it seems a Yubikey could be configured as a 2 factor authentication (2FA) device for a GitHub account.

First, the GitHub general help for configuring 2FA is here. There are two basic ways to configure 2FA, SMS/text message or a TOTP app such as Google Authenticator or perhaps Yubikey. The page which seems more appropriate for setting up a Yubikey is the one which deals with TOTP.

On the Yubikey documentation side, I found the Yubico-TOTP-Setup.pdf file listed on this documentation page..

This PDF from Yubico seems to indicate one can copy secret keys (as text) from sites which display QR codes and enter them into a tool called the YubiTOTP application. This tool is a Windows executable and obviously can't be readily used on Mac OS X.

However, looking around the YubiKey Personalization Tool, there are some configuration screens which seem very very similar to those the PDF describes as existing in the YubiTOTP application. For example, things such as selecting an 6-digit or 8-digit OATH code, pasting the secret key displayed by the website into the appropriate field in the tool, and more. But it just doesn't work.

Most of the websites - GitHub too - display a secret key that isn't hex so attempting to paste the key into the YubiKey Personalization Tool doesn't work.

Is there perhaps another way to get this set up? Interestingly, the Yubikey documentation describes a very similar process for setting up 2FA with Google Apps / Gmail via QR codes. But you don't have to do this as Google simply asks you to press a button, plug in your Yubikey, then press the button on the Yubikey to generate a one-time password. Could not something similar be done on GitHub?

I'd love to set up GitHub with my Yubikey as a 2FA device but there doesn't appear to be a way to do this without the Windows app.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Jul 16, 2015 10:20 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
Use this:
https://developers.yubico.com/yubioath-desktop/

And Yubico Authenticator for Android devices.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 17, 2015 7:00 pm 
Offline

Joined: Sat Jul 11, 2015 3:11 pm
Posts: 8
Tom2, thank you for your reply. I downloaded Yubikey Desktop and installed it but could never key my Yubikey Edge working. I tried all the instructions on the website. This included installing the binary distribution, executing osx-patch-ccid on my Mac as well as creating the Mac .app file from source file. Nothing worked. Does the Authenticator tool even support the Edge or just the NEO?


Top
 Profile  
Reply with quote  
PostPosted: Sat Jul 18, 2015 6:21 am 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
The Edge doesn't have the YubiOATH applet like the NEO, so you'd need to program into Slot 2 on your Edge (this could also be done on the Edge-n, Standard, and Nano). It used to be that you'd use YubiTOTP to do this, but support was recently added in Yubico Authenticator to essentially replace the YubiTOTP app. To use the Edge/Edge-n/Standard/Nano in Yubico Authenticator, go to File > Settings and then under "YubiKey standard slots", mark the checkbox next to "Read from slot 1" or "Read from slot 2". We'll likely add more intelligence into the Yubico Authenticator in the future but for now, if you were to use Yubico Authenticator with both a NEO/NEO-n and a Standard/Edge/Edge-n/Nano, you'd need to change this setting back and forth.

Hope that makes sense.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jul 18, 2015 3:39 pm 
Offline

Joined: Sat Jul 11, 2015 3:11 pm
Posts: 8
Chris, thank you for the response, it was helpful. I'm now able to use Yubico Authenticator (v2.1.1) and have it prompt me to touch my Edge device to generate codes. But what I'm still trying to figure out is how to marry this with a website like GitHub. When you go through the setup process on GitHub they give you an alphanumeric sequence to copy and paste into your authentication app to use as the seed. Where do I put this? I thought it needed to be configured in Slot 2 using the Yubikey Personalization Tool. But how to do this isn't at all clear to me. I assumed the steps were to use the OATH-HOTP section of the tool to configure slot 2. But the only way to enter the secret key is to do so under advanced but even then the secret key field doesn't access non-hex values that GitHub produces.

If you could point me in the right direction I'd appreciate it. Also, can you confirm that even if I get this working with GitHub and slot 2 on my Edge, I'm then limited to OTP in slot 1, GitHub 2FA in slot 2? If I wanted to use Yubico Authenticator with multiple websites I'd need to buy a NEO or NEO-n?

Thanks!


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 22, 2015 5:07 pm 
Offline

Joined: Sat Jul 11, 2015 3:11 pm
Posts: 8
I'm still stuck on this and wondering if anyone has ideas. The main thing I can't get past is how to take the two-factor secret generated by GitHub and use it as the basis for configuring the YubiKey with YubiKey Authenticator app on my Mac. See attached screenshot which shows the GitHub set up process. Since the YubiKey Authenticator app can't scan the QR code you show the two-factor secret as text and put it somewhere. It's the somewhere I can't figure out. I assumed it would go in one of the private/secret fields when setting up a slot in the Personalization Tool but it doesn't work.


Attachments:
github-2fa.png
github-2fa.png [ 96.99 KiB | Viewed 7455 times ]
Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 29, 2015 6:55 am 
Offline

Joined: Wed Jul 29, 2015 6:52 am
Posts: 1
I'm in a similar situation, wanting to use the edge for multiple TOTP codes, and got a response from support:

Quote:
You need a NEO or a NEO-n to store multiple TOTP codes (using the YubiOATH applet). With the Standard, Nano, Edge, and Edge-n, only one credential can be stored per configuration slot (for a maximum of two on each of these devices).
The Yubico Authenticator application is looking for NEO or NEO-n. If you wish to program a TOTP credential to an Edge, you need to open the application, go to File > Settings, and under "YubiKey standard slots", click "read from slot 1" and/or "read from slot 2".


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 29, 2015 4:09 pm 
Offline

Joined: Sat Jul 11, 2015 3:11 pm
Posts: 8
I was able to get my Yubikey Edge working with GitHub 2 factor auth yesterday. On github.com I went through the 2 factor setup and selected authentication app. When I got to the screen with the QR code I launched the Yubikey Authenticator app on Mac OS X Yosemite (10.10.x) and plugged in my Yubikey Edge. I then went to File -> Add. I actually had to click back and forth between the Yubikey Authenticator icon in the doc and any other app icon in order to get the Yubikey Authenticator menu to show in the menubar on OS X. Once this was done I could click File -> Add.

Then, I went back to github.com and copied the text version of the QR code secret key and pasted it into the Secret key (base32) field in the Yubikey Authenticator app. I selected the Slot 2 radio button, ticked the box for Require touch, ensured Number of digits was set to 6 and pressed Ok. This wrote the configuration to Slot 2 on my Yubikey Edge.

With the configuration in place I was then able to touch the Yubikey Edge button to generate a code, copy the code to my clipboard, and paste it on github.com completing the 2 factor set up process. After I did that I signed out of GitHub and walked through the sign-in process a few times to make sure everything was working. After entering a valid un/pw on GitHub the site asks for an authentication code. I simply switched to the Yubikey Authenticator app, pressed the device button to generate a code, and then used the clipboard icon in the app to copy the code. Switching back to the browser I pasted the code and was logged in.

One big downside to setting up auth on GitHub with a Yubikey is logging into the website on your mobile device. When you are out of the office or otherwise away from your computer you won't be able to log into the site without generating a backup SMS message or using a backup authentication code. I know there's a Yubikey Authenticator app for mobile but I haven't tested it yet and I believe it only works with the NEO / NEO-n. Ultimately, I switched my GitHub account back to Google Authenticator for 2 factor.


Attachments:
yubikey-authenticator.png
yubikey-authenticator.png [ 55.77 KiB | Viewed 7372 times ]
Top
 Profile  
Reply with quote  
PostPosted: Sun Sep 27, 2015 3:45 pm 
Offline

Joined: Wed May 09, 2012 9:35 pm
Posts: 45
Just remeber that Google Authenticator keeps the secrets in the phone, thus are vulnerable to attack on the phone unlike when in the Yubikey.


Top
 Profile  
Reply with quote  
PostPosted: Wed Oct 07, 2015 10:40 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
https://github.com/blog/2071-github-sup ... entication


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group