So yesterday I got a couple of normal Yubikey OTP devices (plus one beta NFC version) from Yubico – in a surprisingly quick time!
I’m not going to get into a review of the Yubikey, other than saying it’s an awesome device – there are plenty you can read out there.
While the OTP universe is nice and sweet, allowing you to secure access to a number of services with your physical key, plus a number of second-factor inputs, I wanted one of the keys to function as a simple password entry device for Mac OS. In addition, it would be great if I could use the key to lock my Mac when I leave my workspace unattended, a security policy rarely followed in the real world.
I had been using a
piece of software from Rohos Rohos sucks ass, I’ve now installed TokenLock ($2.99 on the Mac App Store, and it works great) to lock my desktop, tied to a simple USB flash drive, but this meant that Rohos had to keep my password stored somewhere, and you cannot call up Rohos whenever you are asked for a password. The sole functionality Rohos provides in this case is password entry whenever an OS password request window comes up.
Enter the Yubikey
Interestingly, you can use Rohos in USB-key mode, by choosing the Yubikey as your USB device – after all, it has a serial number. Once you have chosen the USB device, simply enable “Lock desktop” from the list of actions upon USB removal. After you choose the Yubikey as your USB device in TokenLock’s preferences, when you need to leave your desktop, simply pull the Yubikey out, and it will be locked for you. Of course, you must enable the usual combination of “disable automatic login” and “require password” in OS X’s Security preferences.
For the login part to work, you need to program your Mac’s password into the Yubikey’s first or second slots. I chose the first as I wanted speed over keeping the original OTP configuration. If you want to keep Yubico’s OTP, write the static password to the second slot, you then need to tap the button on the key for 2-5 seconds.
When you arrive back at your workstation, insert the Yubikey, and tap the button – your password will be entered for you, and you’ll be logged in!