Jasa Web Design

Replacing your Mac OS login with a Yubikey

So yesterday I got a couple of normal Yubikey OTP devices (plus one beta NFC version) from Yubico – in a surprisingly quick time!

I’m not going to get into a review of the Yubikey, other than saying it’s an awesome device – there are plenty you can read out there.

While the OTP universe is nice and sweet, allowing you to secure access to a number of services with your physical key, plus a number of second-factor inputs, I wanted one of the keys to function as a simple password entry device for Mac OS. In addition, it would be great if I could use the key to lock my Mac when I leave my workspace unattended, a security policy rarely followed in the real world.

I had been using a piece of software from Rohos Rohos sucks ass, I’ve now installed TokenLock ($2.99 on the Mac App Store, and it works great) to lock my desktop, tied to a simple USB flash drive, but this meant that Rohos had to keep my password stored somewhere, and you cannot call up Rohos whenever you are asked for a password. The sole functionality Rohos provides in this case is password entry whenever an OS password request window comes up.

Enter the Yubikey

Interestingly, you can use Rohos in USB-key mode, by choosing the Yubikey as your USB device – after all, it has a serial number. Once you have chosen the USB device, simply enable “Lock desktop” from the list of actions upon USB removal. After you choose the Yubikey as your USB device in TokenLock’s preferences, when you need to leave your desktop, simply pull the Yubikey out, and it will be locked for you. Of course, you must enable the usual combination of “disable automatic login” and “require password” in OS X’s Security preferences.

For the login part to work, you need to program your Mac’s password into the Yubikey’s first or second slots. I chose the first as I wanted speed over keeping the original OTP configuration. If you want to keep Yubico’s OTP, write the static password to the second slot, you then need to tap the button on the key for 2-5 seconds.

When you arrive back at your workstation, insert the Yubikey, and tap the button – your password will be entered for you, and you’ll be logged in!



6 Responses to “Replacing your Mac OS login with a Yubikey”

  1. Art Chris August 29, 2012 at 17:16 #

    Now I have not tried this but, why not skip the TokenLock and just use the second key slot in the Yubikey to inject the password?

    I am going to try this and see if I can make it work. The OTP is of value to me and I don’t want to loss the functionality.


    • Mike August 29, 2012 at 17:20 #

      The TokenLock is convenient as it locks the Mac just by pulling out the key. It has the same for Bluetooth, for example, but I’ve not found it as reliable – not TokenLock’s fault, but the usual unreliability of Bluetooth stacks.

      As for the OTP, you can program your own AES key into slot 2 and upload it to Yubico, so you can still have OTP functionality with a longer finger tap. All you lose is the original identity programmed by Yubico, which is not a big loss unless pre-tied to a service such as LastPass etc. I got the basic keys so no worries for me.

      • David June 18, 2013 at 19:06 #

        Version 2.3 or later YubiKeys can swap the configuration slots using the YubiKey Cross-Platform Personalization Tool – under the “Settings” section, there is a button labeled “Update Settings” which has an option to swap the first and second configurations. This lets you order the configurations however you want, without having to overwrite your original Yubico Configuration.

  2. chris gross May 4, 2014 at 21:21 #

    I like your idea, but I was wondering if you are now having trouble with TokenLock since you seem to have edited your post (or perhaps someone else has as a prank) to say: “I had been using a piece of software from Rohos sucks ass”…Please let me know if you are still using TokenLock with your Yubikeys.


    • Mike May 5, 2014 at 07:21 #

      Chris, my comment was that Rohos sucks ass, and last I looked, it still did. It was that bad. I’ve been using TokenLock with Yubico until Mavericks came out.

  3. Vincent August 11, 2014 at 01:22 #

    Mike, Does this not work with Maverick? – Ultimately what I’m looking for is two factor, so I’ll probably look into Yubico-Pam

    But as a quick – lock and walk, this sounded promising.

Leave a Reply:

Gravatar Image