Yubico Forum

From some of the things I've read it seems a Yubikey could be configured as a 2 factor authentication (2FA) device for a GitHub account.

First, the GitHub general help for configuring 2FA is here. There are two basic ways to configure 2FA, SMS/text message or a TOTP app such as Google Authenticator or perhaps Yubikey. The page which seems more appropriate for setting up a Yubikey is the one which deals with TOTP.

On the Yubikey documentation side, I found the Yubico-TOTP-Setup.pdf file listed on this documentation page..

This PDF from Yubico seems to indicate one can copy secret keys (as text) from sites which display QR codes and enter them into a tool called the YubiTOTP application. This tool is a Windows executable and obviously can't be readily used on Mac OS X.

However, looking around the YubiKey Personalization Tool, there are some configuration screens which seem very very similar to those the PDF describes as existing in the YubiTOTP application. For example, things such as selecting an 6-digit or 8-digit OATH code, pasting the secret key displayed by the website into the appropriate field in the tool, and more. But it just doesn't work.

Most of the websites - GitHub too - display a secret key that isn't hex so attempting to paste the key into the YubiKey Personalization Tool doesn't work.

Is there perhaps another way to get this set up? Interestingly, the Yubikey documentation describes a very similar process for setting up 2FA with Google Apps / Gmail via QR codes. But you don't have to do this as Google simply asks you to press a button, plug in your Yubikey, then press the button on the Yubikey to generate a one-time password. Could not something similar be done on GitHub?

I'd love to set up GitHub with my Yubikey as a 2FA device but there doesn't appear to be a way to do this without the Windows app.

Use this:
https://developers.yubico.com/yubioath-desktop/

And Yubico Authenticator for Android devices.

Tom2, thank you for your reply. I downloaded Yubikey Desktop and installed it but could never key my Yubikey Edge working. I tried all the instructions on the website. This included installing the binary distribution, executing osx-patch-ccid on my Mac as well as creating the Mac .app file from source file. Nothing worked. Does the Authenticator tool even support the Edge or just the NEO?

The Edge doesn't have the YubiOATH applet like the NEO, so you'd need to program into Slot 2 on your Edge (this could also be done on the Edge-n, Standard, and Nano). It used to be that you'd use YubiTOTP to do this, but support was recently added in Yubico Authenticator to essentially replace the YubiTOTP app. To use the Edge/Edge-n/Standard/Nano in Yubico Authenticator, go to File > Settings and then under "YubiKey standard slots", mark the checkbox next to "Read from slot 1" or "Read from slot 2". We'll likely add more intelligence into the Yubico Authenticator in the future but for now, if you were to use Yubico Authenticator with both a NEO/NEO-n and a Standard/Edge/Edge-n/Nano, you'd need to change this setting back and forth.

Hope that makes sense.

Chris, thank you for the response, it was helpful. I'm now able to use Yubico Authenticator (v2.1.1) and have it prompt me to touch my Edge device to generate codes. But what I'm still trying to figure out is how to marry this with a website like GitHub. When you go through the setup process on GitHub they give you an alphanumeric sequence to copy and paste into your authentication app to use as the seed. Where do I put this? I thought it needed to be configured in Slot 2 using the Yubikey Personalization Tool. But how to do this isn't at all clear to me. I assumed the steps were to use the OATH-HOTP section of the tool to configure slot 2. But the only way to enter the secret key is to do so under advanced but even then the secret key field doesn't access non-hex values that GitHub produces.

If you could point me in the right direction I'd appreciate it. Also, can you confirm that even if I get this working with GitHub and slot 2 on my Edge, I'm then limited to OTP in slot 1, GitHub 2FA in slot 2? If I wanted to use Yubico Authenticator with multiple websites I'd need to buy a NEO or NEO-n?

Thanks!

I'm still stuck on this and wondering if anyone has ideas. The main thing I can't get past is how to take the two-factor secret generated by GitHub and use it as the basis for configuring the YubiKey with YubiKey Authenticator app on my Mac. See attached screenshot which shows the GitHub set up process. Since the YubiKey Authenticator app can't scan the QR code you show the two-factor secret as text and put it somewhere. It's the somewhere I can't figure out. I assumed it would go in one of the private/secret fields when setting up a slot in the Personalization Tool but it doesn't work.

I'm in a similar situation, wanting to use the edge for multiple TOTP codes, and got a response from support:

I was able to get my Yubikey Edge working with GitHub 2 factor auth yesterday. On github.com I went through the 2 factor setup and selected authentication app. When I got to the screen with the QR code I launched the Yubikey Authenticator app on Mac OS X Yosemite (10.10.x) and plugged in my Yubikey Edge. I then went to File -> Add. I actually had to click back and forth between the Yubikey Authenticator icon in the doc and any other app icon in order to get the Yubikey Authenticator menu to show in the menubar on OS X. Once this was done I could click File -> Add.

Then, I went back to github.com and copied the text version of the QR code secret key and pasted it into the Secret key (base32) field in the Yubikey Authenticator app. I selected the Slot 2 radio button, ticked the box for Require touch, ensured Number of digits was set to 6 and pressed Ok. This wrote the configuration to Slot 2 on my Yubikey Edge.

With the configuration in place I was then able to touch the Yubikey Edge button to generate a code, copy the code to my clipboard, and paste it on github.com completing the 2 factor set up process. After I did that I signed out of GitHub and walked through the sign-in process a few times to make sure everything was working. After entering a valid un/pw on GitHub the site asks for an authentication code. I simply switched to the Yubikey Authenticator app, pressed the device button to generate a code, and then used the clipboard icon in the app to copy the code. Switching back to the browser I pasted the code and was logged in.

One big downside to setting up auth on GitHub with a Yubikey is logging into the website on your mobile device. When you are out of the office or otherwise away from your computer you won't be able to log into the site without generating a backup SMS message or using a backup authentication code. I know there's a Yubikey Authenticator app for mobile but I haven't tested it yet and I believe it only works with the NEO / NEO-n. Ultimately, I switched my GitHub account back to Google Authenticator for 2 factor.

Just remeber that Google Authenticator keeps the secrets in the phone, thus are vulnerable to attack on the phone unlike when in the Yubikey.