Yubico Forum

Questions. My Yubikeys (4.3.3) are set up slot 1 with Amazon authentication (using the Yubico Authenticator) and slot 2 with my password safe protection. Everything works fine.

1. Can I still put OTP or a static password in either of the slots along with what’s there now without disturbing anything?
2. After having set everything up can I add password protection to the key configuration without disturbing what's there?

With a YubiKey 4 you shouldn't be storing OATH secrets in the slots, they should be stored in the OATH applet (if you didn't change any of the Yubico Authenticator preferences, they stored your Amazon OATH credential to the OATH applet, not to slot 1). Slot 1 is the Yubico OTP credential that is pre-programmed on all YubiKeys (44-character password beginning with "cccccc").

1) Do, definitely not in slot 2, you programmed the Challenge-Response credential. You can only have one credential per slot. To be clear, the 2 slots are what you can program using the YubiKey Personalization Tool. Slot 1? Maybe. If you want to overwrite the Yubico OTP credential that is pre-programmed there, or if you did in fact store your Amazon credential there, you don't want to try overwriting it with a static password.

2) Yes, you can set a configuration protection access code after the fact with the Personalization Tool. Set it under "Settings", then click "Update Settings", select the configuration slot, and click "Update." Make sure you write the access code down somewhere safe. You will not be able to make changes to that slot in the future if an access code is set and you forget it (there is no way to bypass this or "reset" the YubiKey).

Ok. I understand. I didn't overwrite the OTP credential as far as I know, just had slot 1 checked when the Authenticator set up Amazon. Thanks very much.

If you're adding a credential to the YubiKey with Yubico Authenticator and you get a slot 1 and/or slot 2 option, that means the option has been set to "read from slot 1" / "read from slot 2." If you selected slot 1 in this case, yes your Yubico OTP credential has been overwritten. The default setting is to not read from slot 1 or slot 2, so on a YubiKey 4 or YubiKey NEO when you add a credential, it's only adding to the OATH applet.

Pretty easy to tell if the slot 1 credential has been overwritten. Open a text editor and press the button on the 4/NEO. If you don't get a 44-character OTP, the credential is gone.

Chris, thanks. I still have the OTP since pressing the key gives me the long code.