Yubico Forum

I'm kind of a noob, so forgive any tech illiteracy.

I currently use a Yubikey NEO with a Nexus device with Lastpass, and so far, it has been working wonderfully. I've also been switching all possible accounts to 2FA, in order to increase security. I had been using the Google Authenticator app in order to generate codes, but I see that there's a way to keep the secret keys on the Yubikey itself, as opposed to an app on my phone, which seems preferable. I also see a way to do this using a GUI, which is great, since my command line skills are fledgling at best.

I was discussing the applet with a far more tech literate friend of mine, and he said that there may be an issue, as far as the NFC on the phone is concerned. If I recall his argument correctly, he said that the OTP I use with Lastpass is the result of the default functionality that comes with the Yubikey, and the YubiOATH functionality is something that I'll have to enable; so far so good. The problem comes in when he said that, as far as he understood it, the YubiOATH functionality would be on the second profile slot of the Yubikey, and that it's possible that it would either have to be one profile enabled, or the other, but not both.

As I understood it, I would be able to use the NEO with the normal OTP with Lastpass as I've been using it so far, OR with the YubiOATH app to give me the 2FA functionality, but not both at the same time...I'd have to manually switch profiles for the Yubikey each time, as the NFC reader on the phone would have no real way to differentiate between the data being fed to it as necessary for one use or the other. To be fair, a lot of this was over my head, so I'm remembering it as best I can, and I may have made a mistake in recalling some of the finer points.

Is this correct? Or can I have that kind of simultaneous functionality with the Yubikey? Any light shed on this would be immensely helpful.

Dear RosanneBarrEsq,

If you have a Yubikey NEO you can use the Yubico Authenticator for your Android device.
https://play.google.com/store/apps/deta ... oath&hl=en

The desktop version is available here:
http://opensource.yubico.com/yubioath-d ... eases.html

Using this software you do not have to reconfigure your Yubikey NEO, you will be able to have the Yubico OTP on slot 1 of the Yubikey and save your OATH secret (the same way you do with the google authenticator just with improved security).

A standard Yubikey, has 2 configuration slot (#1 and #2) - and does not provide NFC.

A NEO a 2 configuration slot such as the Yubikey and you can only emit 1 out of two via NFC. However the OATH functionalities resides in the smartcard part of the NEO where you have an applet named YubiOATH and you will not need to choose among the 2 configuration slots of the Yubikey part of your NEO device.

_________________
-Tom

OK, so I went ahead and installed the applet on my NEO and have been using it for the past few days. My biggest concern had been having to decide between using the OTP functionality of the Yubikey with Lastpass, or use the Yubico Authenticator for 2FA (because of my understanding (or misunderstanding) of how the NFC and the key interacted.

As I understand your response, my worry was largely irrelevant because the applet responsible for the TOTP is, in essence, living in the smartcard portion of the NEO, as opposed to one of the normal configuration slots? I ask because, even though it's working as I need it to work, I appreciate having at least a low level understanding of the technology I use (I'm not be on the same level as some of the forum users here, but I refuse to be willfully tech illiterate, like may of my colleagues).

In any case, thank you very much for your response, which is very much appreciated. I have one other tangentially related question about the Yubico Authenticator (which wasn't mentioned in the product literature). Should I pose it to you in this thread (keeping it open), since it's only slightly related to my original query, or start something new? If it's the latter, I'll mark this as solved and open a new thread.

Keep up the good work!

Ask here unless you think it is something that could be helpful to other users then create a new thread

_________________
-Tom

Hi Tom:

My follow-up questions are in regards to the behavior of the Yubico Authenticator mobile app, which I've been using for the past couple of weeks (with great success, too).

I open up the app, which will ask me to swipe my NEO. I've set the option on the app to require a password before displaying the TOTP, so I'll input the password, at which point they will display. No problem there. However, there is a check box underneath the password field, toggling the option to remember the password; this check box defaults to wanting to remember the password, so I have to manually uncheck this option each time it is used.

The questions:

1) Is there any way to change the behavior of this box, e.g. not having it default to 'Remember Password'?

2) If I accidentally leave this option checked at one point, is there any way to undo it? I would have experimented on my own, but I didn't want to risk screwing anything up. I see that there's the option to change the device password, which may or may not accomplish this in a roundabout way, and the option to 'Clear stored passwords' in the 'About' section of the app. However, I'm not sure if this clears out that password, or all of the TOTP information from the NEO. Considering that you get prompted five times as confirmation to clear stored passwords, I assume that it'll just wipe everything, necessitating setting up again.

Thanks again!

The default behavior is to have that checkbox checked. You can propose a change in the github.com/yubico repository and see what the community and the developer think about it.

Regarding changing password you simply input a blank password to remove it and you will not be prompted again. Then configure a new password and you will have the option to save or not again.

The clear stored password will only clear the password stored on the device, not the secrets on the NEO therefore you will not need to re-scan all the TOTP codes.

_________________
-Tom

Thanks for the GitHub suggestion, Tom; I went ahead and did just that. Also, thanks for answering all my questions...there's so much that I don't know, but I'm trying. Keep up the good work! I'm marking this as solved.