How I Use the Yubikey NEO

I am always looking for ways to improve my online security. I had briefly looked into hardware security keys for a few times but wasn’t sure if I needed one. After receiving a discount from Github’s Student Developer Pack, I decided to buy a Yubikey NEO and see if I can integrate it into my workflow. It turned out that I really enjoyed the process of setting it up and it improved various aspects of my security solution.

Before Yubikey

I use the command-line password manager pass. It encrypts passwords using gpg and integrates with git for history and syncing. Following this guide on key management, my gpg master key is stored offline, and an encryption subkey, protected by a strong passphrase, is copied onto both my desktop and laptop. On the rare occasion that I need to access a password on my phone, I use an app to ssh into my desktop, type out the complicated passphrase, and manually copy the output of pass. I also use Google Authenticator for 2-factor authentication (2fa) on a number of sites.

With Yubikey

I use three distinct functionalities of the Yubikey NEO.

U2F

I use the U2F protocol for the few sites that support it (e.g. Google and Github). This means that instead of using a dynamic code generated by Google Authenticator as the second factor during the login process, I simply plug in the Yubikey and tap the gold plate. It is super easy to set up.

Yubico Authencicator

For the rest of the sites that I used Google Authenticator for, I now use Yubico Authenticator with TOTP secrets stored in the NEO’s OATH applet. Everytime I need a two-factor code, I tap the NEO on the back of my phone (NFC-enabled), and Yubico Authenticator pops up with a set of codes. This has the major advantage that I don’t need to reconfigure 2fa for every site every time I switch to a new phone. It’s also more secure to not store the secrets on a connected device.

PGP Smartcard

For my password manager, I now store a set of gpg subkeys in the NEO and use the Yubikey as an OpenPGP smartcard. This means that I don’t need to copy my encryption subkey onto multiple computers anymore; it always lives inside the Yubikey, which I always carry with me. In fact, the signing/encryption operations are performed by the Yubikey itself, so the secret keys are never even transferred into computer memory. I also found out that the Android OpenKeychain app supports NFC smartcards, and it works beautifully together with Password Store (an Android implementation of pass) so I can now have a local copy of my password manager on my phone and decrypt passwords when needed by tapping the NEO on the back. I like how this is both more secure and more convenient than my previous solution.