Options to prevent accidental Yubikey OTP triggering

README.md

Tired of spamming Yubikey one-time password (OTP) codes into Slack? Here are two options to help prevent that. You can do either or both. Both require ykman, the Yubikey CLI configuration manager. Get it with Homebrew:

brew install ykman

If you…

• …don't have Homebrew? Install it, then run the command above
• …don't feel comfortable running terminal commands? Skip to the bottom
• …aren't sure what the big deal is? See "What's the big deal with Yubikey codes?" below

Disable sending <Enter>

By default, Yubikeys send the <Enter> character after sending the modhex code. You may disable this behavior. First, confirm which slot you have programmed:

$ ykman otp info
YubiKey 4
Slot 1: programmed
Slot 2: empty

In this case, slot 1 is programmed. Configure the programmed slot not to send enter:

$ ykman otp settings --no-enter 1

Add an OTP triggering delay

Yubikeys have two OTP slots. The device uses the duration of the touch to determine which slot to use to emit a code: slot 1 requires about a half-second touch, and slot 2 requires about a two-second touch. By default, OTP is written to slot 1, meaning it's easy to trigger accidentally. You may swap the configurations in the slots, which usually means moving the configuration progammed in slot 1 to slot 2, leaving slot 1 empty:

$ ykman otp swap

This is usually suitable when you use the OTP function of your Yubikey only rarely — if you use it often, the longer delay may be irritating.

Troubleshooting

On macOS Catalina (10.15) and above, user privacy controls may prevent ykman from functioning. If you see something like this:

Error: Failed connecting to YubiKey 4 [OTP+FIDO+CCID]. Make sure the application have the required permissions.

or this:

OSError: Failed to open device for communication: -536870174

you're likely running afoul of those protections. Add your terminal emulator (e.g. Terminal.app or iTerm.app) to the list of apps in Security & Privacy > Input Monitoring and try again.

If you're not comfortable running terminal commands

You can't disable the <Enter> keypress, but you can still add an OTP triggering delay as described above.

Download and install the YubiKey Manager tool. Then:

1. Plug in your YubiKey
2. Click "Applications," then "OTP"
3. Click "Swap" to swap the configuration from the short-touch slot, slot 1, to the long touch slot, slot 2

What's the big deal with Yubikey codes?

Besides being somewhat annoying and confusing to the people on the receiving end of accidental Yubikey OTP codes, they also represent a security concern. A Yubikey OTP is often accepted as a second authentication factor for secure services, in the same way an SMS OTP might be. Accidentally sending your Yubikey OTP to others is a lot like accidentally forwarding one of those six-digit SMS codes to others. In fact, it's worse!

A Yubikey OTP is a encryption-based OTP, similar to HOTP. Unlike SMS or email OTPs, which typically expire after a short period, Yubikey OTPs are valid until they, or a later generated code, are used for authentication. Until then, your authentication is vulnerable to a buffered replay attack, where someone uses your accidentally-sent code to log in as you, in combination with stolen credentials.

In short, when you send a Yubikey OTP to others, you may be reducing the security of the accounts it protects.

References

• https://support.yubico.com/support/solutions/articles/15000006461-swapping-yubico-otp-from-slot-1-to-slot-2
• https://github.com/Yubico/yubikey-manager
• https://developers.yubico.com/OTP/OTPs_Explained.html

Also https://github.com/pallotron/yubiswitch

This might be useful to someone. I encountered "Failed writing to the Yubikey. Check if device has restricted access" and after stumbling around ykman, ykpersonalize and GUI I couldn't modify the slot config and kept getting the same error. I had originally used ykpersonalize to setup the yubikey, I rewrote the slot but this time using the flag "-oallow-update". Then I was able to use ykman to disable/enable "Enter". I found it more useful to have "Enter" configured, but toggle the device itself using the command "ykman config usb --<disable/enable> otp".

Thanks, @thegreyd!

This worked like a charm after spamming my colleagues with random modhex code. Thank you!

Thank you @thegreyd ! I wrote a little script so that I can just type yk in the command line to toggle it on/off. The yubikey itself has a little green LED, so I can look at that to check if it's on.

#!/bin/zsh

# put this script under /usr/local/bin/yk, or wherever your working path is

# prints out information about whether the yubikey is on/off
info=$(ykman info 2>/dev/null)

# Look for "Yubico OTP Enabled", then toggle the value
if grep -q "Yubico OTP\s*Enabled" <<< "$info"; then
   # use -f to forcefully change the setting without having to do an additional prompt
   ykman config usb -f -d otp > /dev/null 2>&1
   echo "\e[31mYubico OTP has been disabled.\e[0m\n"
else
   ykman config usb -f -e otp > /dev/null 2>&1
   echo "\e[32mYubico OTP has been enabled.\e[0m\n"
fi