Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 5:01 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Wed Apr 16, 2014 5:04 am 
Offline

Joined: Wed Apr 16, 2014 4:18 am
Posts: 1
Hello, I was very excited to get my Yubikey Neo. My plan was to use the Neo w/NFC to authenticate on my Android GS3 running KitKat courtesy of CyanogenMod. In theory it seemed like a perfect solution. A dream for securing Google Services Acct, especially in light of the Heartbleed vulnerability. This dream quickly turned into a nightmare. First of all, when your YubiKey arrives, it comes with actually zero documentation, leaving the enduser to scour the web site for the most relevant/recent setup instructions. And there are many, fragmented articles/guides for different pieces of the puzzle. It seems like a perfect example of a company so deep in the trees that it doesn't realize it can't describe what a forest is. But, I suppose most customers actually have a clear idea what purpose they are acquiring a YubiKey for. Just don't expect a clear, end to end piece of documentation. But, I've been in IT for a long time and have been both mired in the forest,, and admired it from outside. Analogies aside. I got the YubiKey Neo configured, which wasn't a simple task, especially since apparently the config corrupted immediately after configuring slot 2. Several hours of frustrating troubleshooting (FAQs were useless) led me to delete the entire config and start from scratch. Good, I got LastPass working pretty quickly, followed a found pdf on enabling 2FA on Google Services/Gmail. But, had a time figuring out where Oath fit in. I found it awkward trying to login to gmail. First you have to attempt it at a low level Android prompt, then get notified that it requires browser based authentication to complete, since 2FA is involved. Frustrating to have to login again thru the browser, but OK, I log in AGAIN, then get prompted for the code. Do, I swipe the key, but the code isn't input automatically. You have to switch to the OATH app, get the code, but, after switching back to the browsr, you can't paste it into the verification window. You have to actually type it out, so I switched back to OATH, remembered the code, switched back to the browser, it had timed out. So, I had to repeat the Android login, then get forced back to login to the browser. Then, toggle to OATH, swipe, remember the code, toggle back, input it before the timeout. Made It! OK, A pain in the ass, but, lets what happens on a fresh boot of the phone. HUGE MISTAKE! This is where the nightmare truly crystalized. I spent a good half hour or more trying to login first to the Android prompt, forced to the browser, but before I could even bliink, some other process needed authenticating forcing away from the browser login, try to switch back, get part way in, another process needed authenticating forcing its prompt to the forefront! This went into s deep, maddening cycle! I never seriously wished to destroy an expensive device I owned until that very moment. I resisted throwing my phone out the window, cancelling prompt after prompt, until eventually I could get all the way thru the double login and switching back and forth from the browser to OATH. Truly a nightmarish scenario. I wouldn't wish that on anyone. OK. So, my phone is up, but God forbid I should ever have to reboot it again. I'm curious as to what the well meaning developers at Yubikey intend to do to somehow streamline this process. Clearly 2FA is the way to go, but this is a tremendous obstacle to overcome in making it appear as simple as some of the marketing material would have us believe.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Apr 16, 2014 7:50 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Hello Dav,

We are sorry for the bad user experience you had, lets review together the steps for a correct replacement of the google authenticator.


1- Buy a NEO
2- Download the Yubico NEO manager from http://opensource.yubico.com/yubikey-ne ... eases.html
3- Set the Yubikey NEO in composite mode HID+CCID (reboot the NEO by unplugging/plugging in the usb again)
4- Download from the play store the Yubico Authenticator
5- Use the Yubico Authenticator to scan the QR code presented by your service provider (Gmail in your case)
6- Swipe the NEO and store the credentials on the NEO

Done,

On next login, after you input your username and password and you'll be asked for the TOTP credential:
1- Run the Yubico Authenticator
2- Swipe the NEO
3- Hold your finger on the copy icon next to each code available on your display
4- Paste the code in the right text area for the Gmail TOTP credential

If something is not clear please do not hesitate to write.
We apologize if we failed to communicate properly how the Yubico Authenticator replaces the Google one. We also have a Yubico Authenticator for Desktop

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 30, 2014 8:06 am 
Offline

Joined: Wed Apr 30, 2014 5:34 am
Posts: 9
Thank-you for posting these steps. Lots of differing methods on how to use NEO applets and app. Yubi Personaliser, NEO manager, CMD style steps. Hard to find concise up to date info for folks that are new to YubiKeys.

Having issues with the following step brand new NEO arrived today,

"3- Set the Yubikey NEO in composite mode HID+CCID (reboot the NEO by unplugging/plugging in the usb again)"

So I plug in NEO with NEO Manager running. The connection mode button shows [HID] I assume that means its in HID mode. So I select HID+CCID unplug at prompt to reboot. Plug back in and it still displays [HID] on the button and applets install buttons and installed applets tab it greyed out still.

Tried HID+CCID with touch eject same results. Am I doing it wrong.

YubiAuth android app says I need to install applet, another thread here stated its already installed on 3.1.2 firmware and later. But NEO manager shows the YubiOATH applet as not installed, current firmware is 3.2 according to NEO Manager. Confused lol :)


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 30, 2014 8:41 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Attachment:
Capture.PNG
Capture.PNG [ 13.61 KiB | Viewed 9287 times ]


Your NEO manager screen must look like this - except firmware version which should report 2.0

Download Yubico Authenticator from the playstore

scan a barcorde with the Yubico Authenticator use this test barcode ( https://camo.githubusercontent.com/3162 ... 4b33505850 )

Follow the instruction on screen and tap the NEO over your NFC reader area on you phone.

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 30, 2014 9:15 am 
Offline

Joined: Wed Apr 30, 2014 5:34 am
Posts: 9
Thank-you for the prompt reply, late here lol

I think I am pretty clear on what to do but I can't seem to get [HID+CCID with touch eject] connection mode to stick every time I change the setting and unplug/replug NEO at prompt it falls back to [HID] and all applets and installed tab remain greyed out.

Here is screen grab of my NEO Manager attached, also only see two of the applet options on my end compared to your screenshot.

I get "error in yubikey communication" scanning test sample QR code you provided in YubiOATH app, I would assume cause I'm stuck in HID for whatever reason.

Attachment:
File comment: click ok here to change connection mode
NEO Manager connection setting.jpg
NEO Manager connection setting.jpg [ 70.29 KiB | Viewed 9286 times ]


Attachment:
File comment: remove NEO at this prompt
NEO Manager remove now.jpg
NEO Manager remove now.jpg [ 52.54 KiB | Viewed 9285 times ]


Attachment:
File comment: then I plug in NEO and back to how I started
NEO Manger stuck on HID.jpg
NEO Manger stuck on HID.jpg [ 37.99 KiB | Viewed 9286 times ]


Had a few more pics and steps but attachment limit three :)


Last edited by EvilAaron on Wed Apr 30, 2014 9:18 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 30, 2014 9:17 am 
Offline

Joined: Wed Apr 30, 2014 5:34 am
Posts: 9
screen grab of YubiOATH applet page in NEO Manager,


Attachments:
File comment: YubiOATH applet tab
NEO Manager YubiOATH.jpg
NEO Manager YubiOATH.jpg [ 38.08 KiB | Viewed 9286 times ]
Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 30, 2014 9:20 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Could you please try the following:

Run the NEO manager as administrator
Try on another computer / different USB port.

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 30, 2014 9:26 am 
Offline

Joined: Wed Apr 30, 2014 5:34 am
Posts: 9
Administrator mode with same AND different USB port = same results :/ Just booting another box here to try on that will post back.


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 30, 2014 9:42 am 
Offline

Joined: Wed Apr 30, 2014 5:34 am
Posts: 9
Well installed with administrative mode on other PC. Tried running with and without administrative mode and on 2 different USB ports (each on different USB controller on MoBo) just to be sure.

That said both computers run Win7 64bit. I have a few more PC's I can try tomorrow but all same OS.

Am able to set up second slot with static pass with "Yubi Personalization Tool" (GUI version) and the OTP in slot one works great just can't change connection mode.

Is this a bug in the new GUI tool or is something wrong with my key?


Last edited by EvilAaron on Wed Apr 30, 2014 5:32 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 30, 2014 9:56 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Download from here the personalization tool:

http://opensource.yubico.com/yubikey-pe ... eases.html

According to 64 or 32 bits

Open a command prompt as administrator and navigate to the folder BIN/

type:

ykpersonalize.exe -m82

press Y

unplug and plug the Yubikey NEO again. Check with the NEO manager the status should be HID+CCID touch eject.

_________________
-Tom


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group