Yubico Forum

I recently bought a brand new up to date YubiKey Neo and I configured it using this guide.

https://christiaanconover.com/blog/yubikeyconfig

My slots are configured exactly how this guide suggests, Slot 1 - Yubico-Authenticated One Time Pass, Slot 2 - Static Pass. So far, it has seemed to checkout. When I use the OTP when prompted, I am successfully logged into the accounts that I have set it up for. However, I noticed that my YubiKey always prints out the same code in slot 1.

UPDATED: The YubiKey actually only changes the last 6 digits on the OTP. As far as I know, the first digits are used to identify the YubiKey, and the last 6 are the changing OTP.

I did have an issue with the Yubico Authenticator, which I used on the Samsung Galaxy Note 3 android phone. I am not sure if it is my configuration or an issue with my phone, but after I scan the QR code, I am prompted to swipe my YubiKey Neo to store, in which I get the message: Error in YubiKey commincation! Try again.

Here is a screenshot from my phone - http://imgur.com/uOqmr7N

After surfing forums for a while, I thought that maybe enabling CCID was the answer, so I tried using the Neo Manager (1.3.0) to enable it.

UPDATED: This works as long as you don't have "Configuration Protection" enabled. If you do have "Configuration Protection" enabled, see below for instructions on how to disable it, so you can enable CCID from YubiKey NEO Manager


I checked the box for CCID - http://imgur.com/m6sTUzs - and clicked OK, only to be given this error: http://imgur.com/kNVQsdY

Failed setting the mod. if you have an Access Code protecting either of the Yubikey slots, you will need to disable this before you can change the mode.

UPDATED: I spoke with a Yubikey representative who helped me with this error. If you enabled "Configuration Protection" when you set up your YubiKey You need to go to open the YubiKey Personalization Tool, go to the Settings tab on the top, click "Update Settings" on the bottom of the screen. From there, change the tab to "YubiKey(s) protected - Disable protection". and type in your password, then click "Update" to update the settings.

Just as a side note, for those using YubiKey Authenticator on Androids. While everything is working 100% on my YubiKey, I am still not able to use the "Tap your YubiKey NEO to store" function on the Yubikey Authenticator. Apparently, some Samsung phones are having some instability when it comes to using the NFC with YubiKey. I can, however, store the code from the desktop app, and retrieve them from my mobile. So the only limitation I am having currently is that after I scan a QR code I cannot store it via the NFC function on my mobile. Maybe one day this will be fixed though!




[EDIT] I was interested in purchasing a second YubiKey Neo to "backup" the vital information from my first YubiKey. My only concern is how much of an inconvenience/permanent information loss it would be if I completely lost my YubiKey. Can you recommend the best or most effective way to use a second YubiKey in conjunction with your original YubiKey Neo to most effectively keep a "backup". Can I format my 2nd YubiKey with the Personalization Tool with exactly the same credentials? Is there a common way people do this, as I am sure I am not the only one. Thanks again in advance for all the help!!

UPDATED In case anyone was wondering what Yubico recommended, this is the advice given to me by a Yubico representative who was ever so helpful in assisting me with some of my issues.

"Regarding configuring a backup NEO, it depends completely on the protocol that is used for each site's 2FA. Challenge-Response credentials and Static Passwords can obviously be duplicated on a second device (if you still have the settings initially used to program the credential), because these credential aren't counter-based. The same goes for OATH-TOTP (Google Authenticator) credentials. OATH-HOTP and Yubico OTP credentials are both counter-based, so they cannot be duplicated. If you consider sites that accept Yubico OTP credentials (LastPass is a great example), you can typically register several different credentials (in the case of LastPass Premium, you can register 5 different Yubico OTP credentials). Keep in mind with LastPass mobile, you will need to go in and edit your account settings with "Permit Offline Access" set to "Disallow", otherwise you can only use one of your YubiKeys to authenticate with the mobile app.

For the Yubico Authenticator credentials, you need to copy the secret during the initial setup process in order to duplicate on a second NEO (the secrets programmed into the NEO cannot be read from the device, they are stored on the secure element). For that reason, if you purchase a second NEO, I would go through and set up all sites that access Google Authenticator again, that way you can store the credential, then immediately remove and plug in the second NEO and add the credential again. Since these credentials aren't counter-based, you can have the same secret on multiple devices. You could also make note of the secret key during program and store a list someplace safe (in case something happens to your YubiKeys).

I wish I could say the process is simple, but since 2FA is dependent on what each individual site supports, you have to investigate for each site to determine the best way to implement. Even with 2FA set up on most accounts, there is usually a way to disable it in case you lose your 2FA device."