Episode 90 – One Topic Yubikey
Scott: Friends with Brews.
Scott: Peter with bruises on your hands.
Scott: We haven’t seen you for-
Peter: It’s not me.
Scott: I haven’t seen you for two or three days.
Peter: You’re my hands.
Peter: I have great hands.
Peter: There’s nothing wrong with my hands.
Scott: Did you say great?
Scott: Like bruised?
Scott: Grade?
Scott: You said I have great hands.
Scott: You said a D.
Scott: Peter, what are you drinking today in this episode of Friends with Brews starring Peter nikolaidis and Scott Wilsey?
Peter: Well, glad you asked, and I’m going to tell you right now.
Scott: Okay.
Scott: You don’t have to get so mad about telling me about it right now.
Peter: I am drinking a Sam Adams Just the Haze IPA.
Peter: So for the first time today on this podcast, I am drinking a Sam Adams Just the Haze IPA.
Scott: Sounds good.
Scott: Well, it just gives the fact that you probably gave it a thumbs up.
Scott: It probably you gave it a thumbs up.
Peter: Did indeed.
Scott: Peter, actually, let’s talk about the rating scale in just a minute.
Scott: But first, I want to tell you about my coffee, and I have to bring up photos because I took a picture of it, because I’ll be damned if I know what this thing is called.
Scott: Toastado?
Peter: Toastado?
Scott: Toastado coffee?
Scott: Or is it Oostado coffee?
Scott: Toastado coffee roasters.
Scott: Here we are.
Scott: Specialties Coffees from Mexico.
Scott: And I am drinking the Arandas.
Scott: Okay, that’s cool.
Scott: Show me the beans, buddy.
Scott: That could get you in trouble depending on where you say it.
Scott: Show me the beans.
Scott: Arandas, medium dark Oaxaca.
Scott: This is made in Oaxaca, Mexico.
Scott: This is really cool.
Scott: It is a, it says with smooth caramel and subtle almond finish.
Scott: It is as cozy as it sounds.
Scott: I will tell you something.
Scott: This coffee does not lie.
Scott: This is a good coffee.
Scott: It says medium dark roast, almond and caramel on it, on the bag.
Scott: And it does not lie.
Scott: When you open it, the smell is sensational.
Scott: These are some of the best smelling beans I’ve ever stuck my nose into.
Scott: And, you know, as John Chidjie would say, on the nose.
Scott: On the nose, it’s beautiful.
Scott: It is…
Scott: Okay, maybe, it may be, and I stress the word may, but I also stress the word be.
Scott: It may be some of the best coffee I’ve ever had.
Scott: It is beautiful when brewed with the AeroPress method.
Scott: It’s just a good coffee.
Scott: It keeps me wanting to go back.
Scott: So, I will say that it may, and I emphasize the word may, be, and I emphasize the word be, also equally, the best coffee that I’ve had, in at least a long, long, long, long, long, long, long, long, long, long, long, long, long, long, long, long, long time.
Scott: Wow.
Peter: That’s such a long time.
Scott: It’s a little expensive for how much you get, not going to lie, but it comes from Oaxaca, Mexico, and it comes with a little, here, I’ll give you the link and you can go look for yourself.
Scott: But it looks like a little bookmark of some kind.
Scott: If you pull it out, it’s a string with a little decoration on the end.
Scott: It’s the kind of thing that a cat would like to play with, but I can’t because the last time our cat played with something, the last time Mekon played with something he shouldn’t, he had to go to the emergency vet.
Scott: I put the link to it in messages, and you can see from the picture what I’m talking about.
Scott: They give you one of those little fuzzy things along with the…
Scott: I don’t know, it’s on the bag of the coffee, it’s so cool.
Peter: A fuzzy thing.
Scott: Yep.
Scott: Okay.
Scott: So that’s our coffee and our beer.
Peter: We should start our own coffee brewers or beer company and supply a little laser pointer with it.
Scott: Oh.
Scott: So to entertain presidents of the United States, no doubt.
Scott: I’m sure it’s what you were thinking.
Peter: Well, if it was a gold laser pointer, yeah.
Scott: That’s true, yeah.
Scott: Yeah.
Scott: You know what?
Scott: I don’t think he’s dead.
Scott: I think he’s just enjoying his gold toilet so much that he doesn’t want to…
Scott: I mean, come on.
Scott: If I had a gold toilet, do you think I would get up and come to the computer and talk to people?
Scott: No.
Peter: I mean, I think you would have your people bring the computer to the toilet.
Peter: I mean, you’d be sitting there like on the phone, tweeting.
Scott: I think the whole toilet…
Peter: True thing.
Scott: No, the whole toilet would be a computer.
Scott: Everything’s computer.
Peter: Everything is computer, including the toilet.
Scott: Including the toilet.
Scott: Okay, Peter, do we have topics today?
Scott: I know that you had topics today.
Scott: I don’t know what they are, but I know that they are.
Peter: We have one topics today, and that topics is the YubiKey.
Scott: Why, Peter?
Scott: Why do you care about the YubiKey?
Peter: Why?
Peter: Because security, Scott.
Peter: Because security.
Scott: Okay.
Scott: I hear you.
Scott: I hear you saying the word security.
Scott: Tell me about this YubiKey adventure.
Scott: What’s setting you down this rabbit hole or this Yubi hole?
Peter: Well, to be clear, I have had a YubiKey for several years now, when I got one for free from Wired Magazine.
Scott: Oh, that’s true.
Scott: You did.
Scott: And I got the same one.
Scott: We should tell people what a YubiKey is.
Peter: Yeah, a YubiKey is just a hardware token.
Peter: It’s a hardware security key.
Peter: And I haven’t actually dug into exactly how these things work.
Peter: So I figured the best way to figure that out was just, you know, get one or five and try them out.
Peter: So I did.
Peter: And because I’m a generous guy, I gave you one of those five.
Peter: So, you know.
Scott: You are a generous guy.
Peter: One for you, four for me.
Scott: You’re very begrudgingly generous.
Scott: No, actually, seriously, thank you.
Scott: It’s pretty cool.
Scott: And I will say that YubiKey have come a long way.
Scott: Like, obviously, they’ve just updated the technologies with them.
Scott: Like, this one has USB-C, it has NFC, has all the C’s.
Peter: It has C’s.
Peter: Yes, it has.
Scott: I call mine UBC.
Peter: UBC, indeed.
Peter: UBC, YubiKey.
Peter: So we have a couple of different YubiKey’s here.
Peter: And I, you know, the first, the concern I had was setting it up as a second factor would be like, OK, does that mean like every time I use my phone or every time I go to log in to something on my laptop, I need to have this thing here?
Peter: Because that’s going to be, you know, I mean, my laptop, that’s not such a big deal because frankly, I would probably just leave the YubiKey near my laptop, which kind of defeats the purpose, right?
Peter: Because it’s kind of like saying I’ll keep, you know, I need to have a smart hotel key or, you know, whatever, a key to my hotel room, but I just tape the key right to the door outside, right?
Peter: Also similar to like if you email an encrypted file to somebody and include the password in the email, same idea, right?
Peter: That’s not a good thing.
Scott: Wait, are you telling me not to do that anymore?
Peter: I am telling you not to do that anymore.
Scott: Okay, got it.
Peter: Not just you, I’m telling you, dear listener, also not to do that anymore.
Scott: Just don’t do that.
Peter: Don’t do that.
Peter: Just don’t do that.
Peter: You.
Peter: So yeah, that’s the YubiKey.
Peter: It’s a hardware token security key.
Peter: And I don’t really know a lot about how exactly it works.
Peter: So I figured we should find it out.
Peter: So the first thing I did was add it as a second factor for my one password.
Peter: And, you know, so it’s so now I need to it’s got to be something I know and something I have.
Peter: And periodically, like if I was to sign in on a new device into one password, it would have me double check who I am, confirm either by putting the backup code, which one password will give you in like a PDF file, or they will have you use your camera, scan, you know, this QR code just to verify who you are doing like the pass key method.
Peter: But now when it wants that, it’s like here, tap your security key or plug your security into this device.
Peter: And not wanting to get locked out, I did make a note of the backup code that they provide you because one password will give you a backup code.
Peter: So in case you lose your security keys, you have a backup.
Peter: But I also registered all three of my Yuba keys.
Peter: So that means that I, or an attacker, in possession of any one of my Yuba keys can use that as the second factor to get into my one password.
Scott: Okay.
Scott: Just a quick question, because it’s directly related to what you just said.
Scott: When I added my Yuba key to one password, it said we strongly, strongly recommend that you add an OTP as well.
Scott: And so obviously the OTP doesn’t want to be in one password because it’s useless to me if it’s in there.
Peter: Right.
Scott: And so I used Microsoft Authenticator, which I already have, for M365 purposes, and I created a token or OTP on that.
Scott: And so now mine actually literally came up and said, give us the OTP or give us the Yuba key.
Scott: And it sounds like you did not create the OTP for it.
Peter: I did not.
Scott: Okay.
Peter: I added a second Yuba key.
Scott: See, that’s a much better way, I think.
Peter: It depends.
Scott: Well, not necessarily, because you might not want to be like a janitor at this local grade school with your jingling pants and kids running away.
Scott: Yeah, exactly.
Peter: Right, but the point is, you’re not going to keep your two Yuba keys together, right?
Peter: So you don’t…
Scott: That’s the point.
Scott: That’s what I’m saying.
Scott: If you need that backup and it’s very inconveniently located.
Peter: Yes, that is a problem, right?
Scott: You’ve been known to travel between two towns in your state, let alone the fact that you’ve been known to travel internationally.
Peter: And two states in my country.
Scott: True.
Peter: That’s even though they border one another.
Peter: You said two towns within my state.
Scott: Right.
Scott: They’re not the same state.
Scott: Well, it’s the East Coast.
Scott: It’s all one big state, Peter.
Scott: Come on.
Scott: You belong to New York.
Scott: Just admit it.
Peter: A lot of people think that Vermont is in upstate New York.
Peter: So if I go into my one password, and I go to my settings, and then I go to manage two-factor authentication, I now see my three YubiKey’s there.
Peter: But I can set up an authenticator app as well.
Scott: That’s what I did because when I added my YubiKey, and I did not, surprisingly, I didn’t have 2FA enabled on my one password account, which surprised me to discover.
Scott: When I added my YubiKey, it said, look, dude, you really got to add an authenticator app too.
Scott: So that’s why I did it, is because it suggested that I did so.
Peter: Well, I’m going to add a one-time password to my authenticator.
Scott: Which app are you going to use, Peter?
Peter: Well, I’m actually going to use a couple of them.
Peter: Ah, because there’s no reason not to.
Peter: So when you do your setup, you can…
Peter: Well, okay, there’s no good reason for me not to right now, I should say.
Peter: Yeah.
Peter: So I am adding those to…
Peter: I am going to keep one in my one password.
Scott: Sure.
Peter: Because that way, if I have a different device…
Scott: Yep, exactly.
Scott: Yes, yes, yes.
Peter: I’m also going to…
Scott: Brilliant.
Scott: That’s a good point.
Scott: I think I will do that.
Peter: Yeah, there’s no harm in keeping it in one password.
Peter: There’s literally no harm in keeping it in one password, right?
Peter: Because if you’re locked out of one password, then you can’t get them.
Scott: Just don’t use it as your only…
Peter: As your only factor, right.
Peter: But I’m also going to throw it into Duo and Authy while I’m at it because of my backup.
Scott: Duo is a brilliant idea.
Scott: That’s better than Microsoft Authenticator.
Peter: Oh, Microsoft Authenticator is a last resort, dude.
Peter: I never use that thing.
Peter: It’s horrible.
Scott: Right.
Scott: But here’s why I didn’t think of Duo is because the only context in which I’ve used Duo is for securing WordPress logins.
Scott: And it doesn’t rely on an OTP.
Scott: It does something else.
Scott: And so I didn’t even think about Duo in the context of an OTP.
Scott: But the reason I like Duo is it’ll just pop up on your Apple watch and say, is that you?
Scott: And you’ll go, it is me.
Scott: And then you’re in.
Scott: So I’m going to add Duo as well.
Scott: Good job.
Scott: Brilliant.
Peter: Yep.
Peter: So here I am now on my computer.
Peter: You can’t see this, but on my computer, I have a one-time password and I can just copy and paste that right into my screen in my browser.
Peter: So now I have an authenticator app and three Yubikeys as my backups.
Peter: Now my plan was…
Scott: You’re an impressive man.
Peter: Yeah.
Peter: So I’m going to probably take one of my Yubikeys and keep it in my passport wallet.
Peter: I’m going to keep one on a keychain because I do have to…
Peter: Well, I don’t have to, but I am taking a single key to my house with me on my next trip, and it will have a Yubikey on the end of that as well.
Peter: And then the third key, the Nano, I may just…
Peter: I don’t know.
Peter: I’m not sure what I’ll do with that one just yet.
Peter: Honestly, I will probably leave it plugged into the USB-C port of one of my devices, possibly one of the devices like my iOS devices or my iPad.
Peter: I’m not sure yet.
Peter: But I’ll leave it there with that device powered off.
Peter: So I would still…
Peter: I don’t think…
Peter: Because yeah, it’s not going to let me log in.
Peter: I can’t authenticate to my iPhone as that.
Peter: I can only authenticate to one password, right?
Peter: I think that’s how that works.
Scott: It is how it works.
Scott: Yes.
Scott: I haven’t looked…
Scott: I actually haven’t looked into that question.
Scott: Can I log into my iPhone with this key?
Scott: And I think the answer is no.
Scott: It can be used to log in to your Mac, as you know.
Scott: And I know that you just haven’t set that up yet.
Peter: Exactly.
Peter: I have not set that up yet, and I want to.
Scott: I have set that up.
Peter: Well, then maybe we should go through that.
Scott: Okay.
Scott: All right.
Scott: Let’s see.
Scott: Let me bring up my trusty…
Scott: I think this is the link that I used.
Scott: Basically, it’s a fairly simple process.
Scott: You do have to download the UBCoAuthenticator app.
Peter: That was my question.
Peter: So I haven’t set that up because I didn’t yet want to download any extra software if I didn’t have to.
Scott: I didn’t either, but it’s actually fine.
Scott: Because what that lets you do is, the other nice thing about that is it lets you do things like change the pin.
Scott: There’s three different kinds of pins on this thing, on the UB key or three different codes.
Scott: I don’t know if they’re all considered pins, but there’s the pin that you can use to log in with.
Scott: There’s, what else is there?
Scott: Instructions for Mac, no.
Scott: Okay, so basically when you download the UBico authenticator app, it wants you to put your UB key in the Mac.
Scott: The Mac does not have NFC, so we have to plug it into the USB-C.
Scott: And then there are three things that you want to change.
Scott: There’s a pin, there’s a PUK, which is a pin unblocking key.
Scott: And this is if you are trying to use your pin to log in to something, and you enter it incorrectly three times, you will get locked out.
Scott: That pin will no longer work.
Scott: So even if they keep brute force trying, that came out weird, even if they keep trying to brute force your pin, at that point even the correct pin won’t work anymore.
Scott: You want to change that.
Scott: Then there’s a management key, which is about 4,000 feet long.
Scott: It’s one of those scenarios where they say, if this amount of data was stretched out, it could go past the moon.
Scott: It’s one of those things.
Peter: Oh, one of those things.
Scott: The management key is used to perform admin function on, such as generating keys and importing certificates.
Scott: And usually that’s for an IT department to use.
Scott: Most people probably aren’t going to encounter that use case.
Scott: But anyway, so first thing you do is you change those.
Scott: And there’s a good support article on UbiCo that walks you through that.
Scott: And I’ll, if I can find the notes app, I’ll put a link to that now for me to put in the notes later.
Peter: I see that the UbiCo authenticator has a whopping 2.6 star rating in the app store.
Scott: Yeah, but it’s not that…
Scott: Well, here’s why.
Scott: Apparently, the Windows version does more things.
Scott: I don’t know what those more things are, and I don’t care.
Scott: And I’m not going to downgrade it, because it doesn’t do things that I don’t know about.
Scott: If I knew about them, and I found them to be incredibly compelling, and I was outraged that once again the Mac gets shafted, then maybe I’d go give it 2.6 stars, but I’m not going to do that.
Scott: Right.
Peter: You know what I’ve really been curious to see is how its features compare to the Linux version.
Scott: Good point.
Scott: Okay, so then you go to the…
Scott: Now you’re ready to prepare your Ubiqui for Mac OS account login.
Scott: So in the Ubiqui, Ubico, God.
Peter: Authenticator.
Scott: App.
Scott: You click certificates, and then you select 9A authentication.
Peter: 9A authentication.
Peter: I’m going to do this with you as you…
Scott: Okay, but I posted a URL in the notes.
Scott: I suggest that you also click on that link.
Scott: It’s support.ubico.com.
Scott: Ubiqui for Mac OS login is in that URL.
Scott: And then scroll down about two-thirds of the way, where it says, preparing your Ubiqui for Mac OS account login.
Peter: Preparing.
Peter: What are you preparing?
Peter: Why are you always preparing?
Peter: Just go.
Scott: Why are you always preparing?
Scott: Just go.
Scott: Okay, so once you have 9A…
Scott: Okay, first, I should let you get through the first few steps.
Scott: You need to change your pins and your PUK and your management key.
Peter: Okay, so I’ve started…
Peter: I’ve got, use your security key as a second factor for your one password account.
Peter: That was a link that you sent me.
Peter: That one I’ve already done.
Scott: No, look in the notes app, notes app.
Peter: Notes app, going there now.
Peter: There it is.
Scott: On to our show notes.
Peter: YubiKey for Mac OS login.
Peter: Yes, I was actually on this web page earlier, and I was like, oh my goodness, this is huge.
Peter: Eyes glazed over, did not happen.
Scott: That’s what I said.
Scott: That’s what I said.
Scott: That’s why I was complaining to you.
Scott: But once you start, it’s really not that bad.
Scott: Okay, so you’re…
Peter: Also, quick aside too, before we go too farther.
Peter: I have not yet set up my Mac OS login using the YubiKey, but I did also set up two-factor authentication for my iCloud account with my YubiKey.
Scott: Okay, now, that I haven’t done.
Scott: That would be fascinating.
Peter: Yeah, so all three of my YubiKey are two-factor, second factors for iCloud as well right now.
Scott: I thought I was your second factor for your iCloud account.
Peter: Your second factor in case I ever lose those second factors.
Peter: So you’re a second, second factor.
Scott: Okay, but Peter, it said when I accepted that role, it said that Peter will come to you personally or call you by voice.
Scott: First of all, I don’t trust the voice because I’ve generated a fake Peter myself.
Scott: So if you want me to help you restore your account, you have to come to me in person.
Scott: Wonderful.
Scott: Peter’s so glad he has friends.
Scott: Am I though?
Scott: Okay.
Scott: So now you’re near the top of this thing.
Scott: You can go back up to under personalizing the UBKey PIV application.
Scott: You’re going to follow the instructions for.
Scott: The first thing you’re going to do is you’re going to open the UBKey Co-Authenticator app, and you’re going to click certificates over on the left hand side.
Scott: I’m assuming that you have your UBKey plugged into your Mac.
Peter: I do have one of them plugged into my Mac.
Scott: Okay, fine.
Peter: And I just touched it, and it just spewed its key into the application that I had open.
Scott: Okay.
Scott: So now you want to click on change pin at the top of the three options under manage.
Peter: Wow, that’s a little interesting.
Scott: I saw that.
Peter: I had to share that.
Scott: Yeah.
Peter: Okay, so I click authentication, change pin.
Peter: Three attempts remaining.
Scott: Yep.
Peter: All right.
Peter: So the default pin is the super secure 123456.
Scott: Yeah.
Scott: And I will say that when I changed my pins and my PUK and my management, I put them all in a one password entry.
Peter: Yep.
Peter: I’m doing that right now.
Peter: I’m just looking and trying to see which is the most appropriate.
Scott: I just used login and ignored the username, and I put the pin as the password, and then I added new fields called PUK and management.
Peter: So here’s a question.
Peter: What’s the difference between adding a type of login in one password?
Scott: Type of password.
Peter: Versus a type of password.
Peter: That was exactly my question, though.
Scott: Well, login automatically comes up with fields for URLs and so on and so forth.
Scott: And if you’re on a web page, when you do that, I think it adds the URL in there by itself.
Peter: Yeah.
Peter: I was just trying to see if this would be more like an API key or an SSH key, but I guess password is…
Peter: I’m going to use password.
Peter: So I’m going to call this my UB key.
Peter: Or I’m going to say UBico authenticator or authentic carrot as I just typed it.
Scott: Okay.
Scott: That’s good.
Scott: But remember, you’re not changing the pin for the authenticator app.
Scott: You’re changing it for the specific UB key.
Peter: Ah, thank you for clarifying.
Peter: Now, I could throw all of these into a single entry and just say UBC, UBico Nano, UBico 5CI, UBico NFC, and just leave those, set those all.
Scott: So I’m going to put that there.
Peter: Super Max Pro Plus, right?
Scott: All right.
Peter: So I’m going to put in a password value, and I’m going to call this one the 5CI pin.
Scott: Pin, yes.
Peter: Except this is not the 5CI that I’m doing, so I’m going to add another one, another password.
Peter: I’m going to call this 5C Nano pin.
Scott: Okay.
Peter: All right.
Peter: And now I’m going to create a new password, and it must be at least six characters long.
Scott: That is correct.
Peter: And this can be alphanumeric, or does it have to be numeric?
Scott: I made it numeric.
Scott: And so here on the website, they say use a six to eight digit number for your pin.
Peter: So numeric.
Peter: Numeric.
Scott: And it says macOS does not accept non-numeric characters.
Peter: There we go.
Peter: That answers it.
Scott: That’s why.
Scott: That’s why I think there’s a discrepancy between the text saying six characters long and the instructions for macOS on the website specifically saying don’t use anything with numbers for that.
Scott: Okay.
Peter: Got it.
Peter: All right.
Peter: I am punching in my…
Scott: Frim the pin.
Peter: I am confirming the pin.
Peter: The pin has been confirmed for my 5Cnano.
Scott: That’s beautiful.
Scott: Now you want to use the second option down under.
Scott: Instead of change pin, you want to select to change PUK, and it should also say three attempts remaining warning default PUK used.
Peter: Okay.
Peter: So I did change pin.
Scott: Yeah.
Scott: Now you want to change PUK.
Peter: Now I go to change puck.
Peter: Got it.
Peter: And the current puck, the default puck is one, two, three, four, five, six, seven, eight.
Scott: Ooh, that’s very much stronger.
Scott: So you want to use a six to eight digit number for your new puck and note it for future reference.
Scott: I would not make it the same as the pin that you just…
Peter: Well, the this one’s going to be eight.
Peter: Well, this, yeah, this one, I’m going to just follow their example and make this one eight characters long as well.
Peter: Now, the question is this…
Scott: Yeah, make it eight characters long as well, but this is also digits.
Peter: Right, but this pin on lock code, again, is this tied to the…
Peter: This is tied to the specific YubiKey.
Scott: Everything we’re doing right now is tied to a specific YubiKey.
Scott: If you take your YubiKey out, all of these things go away.
Scott: You won’t even be able to do this.
Peter: So this will be the 5C nano puck.
Scott: Yep, yep.
Peter: And it’s gonna be 8 characters long following their lead.
Scott: And preferably not the same 8 digits.
Scott: Make it digits.
Scott: And preferably not the same…
Peter: Well, the previous one was only 6, so this is not gonna be the same.
Scott: Oh, see, I used the full 8 for both.
Peter: I followed their example.
Scott: I don’t follow their example, Peter.
Scott: Yep.
Peter: Okay.
Scott: Now you wanna change the management key.
Peter: I’m gonna click on management key, and the default is way too long, but it’s alternating 01, 02, 03, 04, blah-blah-dee-blah-dee-blah-dee-blah.
Scott: Yeah, so here’s what I did, Peter.
Scott: I clicked, see right by the new management key, there’s a little refresh icon?
Scott: Click that, and it’ll generate a random one for you.
Peter: You let them make it for you.
Peter: Nice.
Scott: You let them make it for you.
Scott: You copy it, and you put it in one P word.
Peter: All right, I am recording it.
Scott: By the way, the one S word people have specifically said that they will stop sponsoring is if I continue to call it one P word.
Peter: Okay, now…
Scott: And then I reminded them that they’re not sponsoring us.
Scott: Nobody is.
Scott: And they said, oh, and then they haven’t talked to me since.
Peter: So the default key management algorithm is triple DES?
Scott: Mine was EES192.
Scott: I don’t remember.
Scott: I don’t have a key in my Mac right now, and I don’t want to go get it, so I don’t remember.
Peter: The default is t-DES, and it asked me if I want to protect it with a pin or not.
Scott: I did protect it with a pin.
Scott: The pin is the pin that you entered at the very beginning.
Peter: Got it.
Peter: I’m going to go EES256 because why wouldn’t I?
Scott: Yeah, do that.
Scott: And I think that was my default.
Scott: I think mine was EES256.
Peter: Mine was definitely t-DES.
Scott: Okay.
Scott: And then I did also choose protect with pin, which is good because that means when you try to use the management key, it will also ask you for the pin.
Peter: Okay.
Peter: Here’s the thing.
Peter: That management key is no good because the triple DES one that I created was only 48 characters long.
Peter: And to be an EES256, it has to be 64 characters long.
Peter: So I need to generate a new one.
Peter: So I click the refresh one and it automatically expanded to 64 characters and save.
Peter: Now it requires the pin.
Peter: Boy, I hope I have this pin right.
Scott: Don’t forget to copy that new key to your one-password.
Peter: Already did.
Peter: I have saved it, and I entered the pin, and it successfully unlocked it.
Scott: Beautiful.
Peter: But now I’m just trying to save.
Peter: Well, I’ve chosen the management key.
Peter: I say save.
Peter: It says you require the pin.
Peter: I paste the pin in.
Scott: Did you hit enter, Peter?
Peter: It says six of eight.
Peter: This is the PIV pin.
Scott: You apparently used eight characters, not six.
Peter: No.
Peter: I did eight on the second one.
Peter: I did second one and I saved it.
Peter: Okay.
Peter: So hopefully that’s done.
Peter: Pin can be used instead at this point.
Peter: So it looks like I’ve done it correctly.
Scott: All right.
Scott: Now we finally get to the part, Peter.
Scott: And this is the exciting part.
Scott: This is the part you’ve all been waiting for, all of you Peters out there, including the one who’s doing this right now.
Scott: We are now going to prepare the YubiKey for Mac OS account login.
Scott: So now you have your app open, you have your key highlighted, you have certificates highlighted, you have 9A authentication.
Scott: At the top of the certificate options, there’s four options, at least that’s what I have.
Scott: You have 9A authentication, so click on that.
Peter: Okay, I’m there.
Scott: And now you’re going to generate key over on the right-hand side, actions, generate key.
Scott: All right.
Peter: I need to put a pin in to do that.
Peter: I will paste my pin in.
Scott: No, no, no, no.
Scott: Oh, you do?
Scott: Oh, okay.
Scott: Interesting.
Peter: Mine says pin required.
Scott: Okay.
Scott: Mine probably did too.
Scott: I just probably don’t know.
Peter: Now I’m at generate key.
Scott: Now, when you give it a subject, which is basically just the name of this key, of this certificate that is generating, sorry, you need to follow the step four there where it says C N equals and then anything after equals can be whatever you want.
Scott: But it has to say capital C, capital N equals.
Scott: And I assume that stands for a certificate name, but common name.
Scott: Oh, you see, that’s why we have the security expert here.
Scott: Yeah.
Peter: You got the common name versus the distinguished name.
Scott: Oh, Peter, I just want to tell you that I think you only have a distinguished name.
Scott: You don’t have a common name.
Scott: That would be beneath you.
Scott: All right.
Scott: Now you’ve done that.
Scott: What key algorithm did you use, by the way?
Scott: I think mine was the default of ECCP256.
Peter: Elliptic curve.
Peter: I mean, that’s what the default here is.
Peter: I cannot say it.
Peter: ECCP256, elliptic curve something protocol.
Peter: I don’t know what that other C means.
Peter: I can say library.
Peter: So there’s choices again.
Peter: Two different elliptic curve protocols and RSA 2048.
Peter: And apparently, the default expiration is one year from now.
Peter: So I’m making a self-signed certificate to doing this.
Peter: I could also, however, generate a CSR, certificate signing request, and send this to a certificate authority, apparently.
Peter: Or I could use a public key option.
Peter: And so there’s a few different options you could go here.
Peter: That’s very interesting.
Scott: Peter, do you remember how in the last podcast I talked about how I had torn a tendon in my finger?
Peter: Yeah, I do.
Scott: Well, I don’t get to go see the surgeon for a couple more weeks, and I’m wearing that aluminum thing.
Scott: And for whatever reason, today, every time I reach over to get my coffee, I’m catching that on stuff, and it hurts like hell.
Peter: I’m sorry?
Scott: Okay, good.
Scott: That’s all I needed.
Scott: All right, so now that you’ve done that.
Peter: So I need to generate a key.
Peter: I’m gonna click Save.
Peter: I’m gonna use RSA 2048 just because I like RSA.
Scott: Yeah, so now the step that Peter is doing is he’s clicking on 9D Key Management, still under certificates.
Scott: He’s generating a key, which is creating another new self-signed certificate.
Scott: And…
Peter: Private key has been generated.
Scott: Okay.
Scott: All right, that’s it.
Scott: Now, you should get a notification at the…
Scott: This is what drove me insane because Mac OS notifications.
Scott: First of all, I got a notification at the top in my notification center saying, hey, this thing wants to give you notifications.
Scott: You have to enable that, but you’re also going to get a notification about…
Scott: I can’t remember what it called, pair.
Scott: And the notification specifically pops up with a button in the lower left, in the lower right corner that says pair, and you have to click that button.
Scott: But I think to trigger this behavior, you have to pull your UB key out and put it back in again.
Peter: So just for kicks, UB key 5, nano.
Peter: I am trying to export the certificate because I want to look at this thing that I just created.
Scott: I don’t want you to do that.
Scott: I just want you to do the next step.
Peter: Too bad.
Peter: I’m going to take a look at it first because I am curious.
Peter: Documents.
Peter: And in my documents folder, I have a date modified, a YubiKey NanoCertificate.crt, and it wants to open this with Keychain.
Peter: System roots Keychain could not be modified.
Peter: I didn’t want you to friggin modify.
Peter: I just wanted to look at the darn thing.
Peter: All right, I’m going to open it up with Textmate instead.
Scott: Well, here’s why it’s…
Scott: Yeah, exactly.
Scott: Yeah, yeah.
Scott: It assumes that it’s because it associates those files with Keychain.
Scott: Yeah.
Peter: I thought I could preview it, though.
Peter: Yep, and look at it.
Peter: There it is, a standard RSA style certificate.
Peter: Begin certificate, lots of gobbledygook, and certificate.
Peter: So perfect CRT format.
Scott: You don’t know how many of these certificate speeders looked at in his life.
Scott: Actually, I don’t know, but anyway.
Scott: All right, so pull your key out.
Peter: That’s the trickiest part.
Peter: These little nanos are so nano.
Peter: Well, no, you don’t know, because yours is not this big.
Scott: Well, no, I saw from the website the size of them when we were looking at them.
Peter: I have just barely enough finger and thumbnail to pull this thing out.
Scott: You need to grow out your fingernails like those cocaine users who grow out their pinky nail.
Peter: Problem is that my nails are so fine that they get brittle and break.
Peter: So I don’t do that.
Scott: You’ve got the finest.
Scott: You’ve got fine.
Peter: The finest.
Peter: I have no problem with my hands.
Peter: I’ve got the finest nails.
Scott: When Anna and I got married, the wedding photographer that we had, he was very good.
Scott: But he also was creepily obsessed with Anna’s hands.
Scott: I mean, he was obsessed.
Scott: He kept telling her she needed to be a hand model.
Scott: He went on and on and on about it.
Scott: And I’m just thinking that you, if you go in, if I don’t know how it’s possible that same guy is still alive and or taking photos, but if you ever went to that guy and said, Look, I need a portrait.
Scott: He’ll be like, Oh, the hands.
Scott: We’ve got to do these hands.
Scott: Have you ever thought about being a hand model, Peter?
Scott: Peter, let me hold your hand, et cetera, et cetera.
Peter: I have not.
Scott: OK, I’m just warning you.
Scott: Don’t don’t have your picture taken.
Peter: Got it.
Scott: And if they talk about your hands, leave immediately.
Peter: Got it.
Scott: The good news is the pictures were good.
Scott: They were very expensive.
Scott: OK, so now you put your YubiKey back into your Mac using your tiny fingernail.
Peter: The key of Yubis.
Peter: So this is one if like if I trusted in the if I trusted in the security, the physical security of my own home, I could leave a YubiKey plugged into my dock, for example.
Scott: You sure could.
Scott: You sure could.
Peter: Right.
Scott: All right, so now this is the nano.
Peter: This is intended to be traveled with.
Scott: Right.
Scott: So now you should get a notification up top.
Peter: It says, insert your YubiKey, which I have now done, and then it switched back and now I’m back at the certificates menu again.
Scott: So you should get a notification in the top right hand of your Mac that either says, YubiKey wants to give you notifications or it will say, Smart card pairing notifications.
Peter: Notifications may include alerts, icon badges.
Scott: So click on that and enable it because MacOS doesn’t enable it just because it shows you that.
Scott: You have to click on it and you have to say yes, give me notifications.
Peter: Allow or don’t allow?
Peter: Shouldn’t that have been cancel or allow?
Scott: No, it should be.
Peter: Yeah, it should be.
Peter: Allow.
Scott: Allow.
Scott: OK, now there are…
Scott: OK, oh my God, I just lost English.
Scott: Now there should be a notification that has the button pair on it.
Scott: That I do not have.
Scott: Click again on your clock and see, look at your notifications.
Peter: Look in clock.
Peter: I see an R sync failure.
Peter: I see a notice from my bank.
Scott: OK, then pull out your YubiKey.
Peter: Sounds like I need to re-reinsert my YubiKey.
Peter: It is out.
Peter: And I see in the YubiCo authenticator app, it reflects the fact no YubiKey present.
Scott: That’s why I was saying, that’s how you know you’re setting all these things for this specific YubiKey.
Peter: Plug it back in and YubiCo authenticator says, Forget what the authenticator says.
Scott: Does MacOS give you a notification?
Peter: No, not yet.
Peter: Click on the little clock.
Peter: I’ve got notifications, but nothing.
Scott: What?
Scott: See, this is where I got one specifically that said pair.
Peter: I clicked allow on that one.
Peter: I also did, I’m going through my old notifications just to see what I may have missed.
Peter: And I have, Scott Willis has been added as your recovery contact from last night.
Scott: That was a long time ago.
Scott: You know what, though?
Scott: Here’s a rant.
Scott: Notifications on the Mac have nothing to do with time, because I will have been logged into a Mac all damn day.
Scott: And then the next day, when I plug it into my my dock, it goes, hey, here’s all these notifications from yesterday.
Peter: So, yeah, that’s also when whenever I reboot my Mac, I get legacy old notifications, messages.
Peter: And I was like, oh, Scott’s telling me this again or something, right?
Peter: And I was like, okay, that’s great.
Scott: Absolutely.
Scott: Yeah, it’s ridiculous.
Peter: So I had to click on to the Ubico Authenticator app and then it said, hey, you’ve got a Ubiqui 5C NanoFips install.
Scott: Oh, okay, got it.
Peter: But I still haven’t gotten any operating system notification, even though I did click allow.
Peter: So I’m going to go into settings notifications.
Scott: It says, if you don’t see one, refer to the manually pairing a smart card without the pairing UI section of Ubiqui for Mac OS login.
Scott: So let’s find that, which I don’t.
Scott: Oh, Mac OS login advanced topics.
Scott: Okay, manually pairing.
Scott: So let’s do command F, manually pairing a smart card without pairing.
Scott: Okay, so here is, oh, you get to use the terminal, my friend.
Peter: Oh, wow.
Peter: So Kerberos is set to allow notifications.
Peter: I’m assuming this is Kerberos that would be doing this, but I’m not a hundred percent sure.
Scott: So I just put another link in the note, and if you take that gigantic long link, it will take you.
Scott: What you’re going to do is you’re going to go to SC under Auth Space Identities.
Scott: You’re not going to go to that.
Scott: You’re going to click it.
Scott: You’re going to enter it in the terminal.
Peter: Very well.
Scott: The Terminale, we call it.
Peter: I’m going to that big old, except that big old URL included formatting from notes.
Peter: So I’m cleaning it up, and now I’m going to…
Scott: God damn it, notes.
Peter: Ah, stop searching for the URL.
Peter: Stop preparing.
Peter: Just go.
Scott: Why are you always preparing?
Scott: What are you preparing for?
Peter: Okay, so se-auth-identities?
Peter: se-
Peter: underscore-auth-identities.
Scott: underscore-auth-space-identities.
Peter: Okay, that’s a lot of interesting.
Scott: If certificates are present on the UBI key, but the UBI key isn’t paired to the user and account, an unpaired identity should show as a result, as shown below.
Peter: I do see an unpaired identity with a hash and the certificate for PIV authentication, Peter nikolaidis, which was the CN that I added.
Scott: Okay, great.
Scott: Copy that great big hash.
Scott: Yep.
Peter: And now I’m going to pair that with sudo scof pair-h, your hash, with dash you, who am I?
Peter: So my username essentially.
Peter: That’s what we’re doing there.
Peter: Okay.
Peter: I’m not going to tell you what my hash is because that sounds like something you don’t need to know.
Peter: So now it wants the smart card agent pin, which I do not recall, so I have to dive back into one password for that.
Scott: I literally just created that pin, Peter.
Peter: No, one password created it.
Peter: No, no, no.
Scott: You created the…
Scott: You didn’t create the six-digit pin that you entered at the very beginning?
Peter: No, I had one password to it.
Scott: Oh.
Peter: But I have now typed it in.
Peter: Failed to store login keychain unlock key.
Peter: No suitable key was found on the selected smart card.
Peter: User was successfully paired, but user password will be required after next smart card login to unlock login keychain.
Scott: Yep, I had that happen too, and I don’t remember how I got around it.
Peter: Should we just try it again?
Scott: I think so.
Peter: Cannot pair.
Peter: Smart card is already paired.
Scott: Okay, so try this.
Scott: Turn off your watch.
Scott: You don’t have an Apple Watch.
Scott: That’s good.
Scott: Lock your screen.
Scott: I hope it doesn’t end this recording, but lock your screen, lock your Mac, and then try to…
Peter: If it does, I’ll come back.
Scott: And then hit return again, and then see if it asks for your pin.
Scott: It should say pin.
Scott: It’ll just say pin.
Peter: All right, so I just locked my screen.
Peter: And then I…
Peter: So the login screen is supposed to prompt me for this?
Scott: Yeah, the Mac OS login screen, instead of password, it’s supposed to say pin.
Peter: Got it.
Peter: Sorry, I just used Touch ID.
Peter: It says, yeah, enter Touch ID or use pin.
Peter: I just punched in my pin, and that worked.
Peter: I’m back in.
Scott: Okay, good.
Scott: All right, good.
Peter: Now, here’s the thing.
Peter: However, one password is now prompting me…
Peter: The one password app, which I left open, is asking me for my full-on password.
Scott: That’s because you locked your Mac, and so one password locked at the same time.
Peter: But one password is not giving me the option to Touch ID, which it normally does.
Scott: Sometimes that happens.
Scott: Once in a while, Peter, one password is set to every now and then have you enter your password because it wants you to remember it.
Peter: But that’s on like a two-week rotation.
Peter: I have to think that this one was triggered by this event that we just did.
Scott: I agree with you, except I have it happen way more often than two weeks.
Scott: I have the same setting, and I get it more often than two weeks.
Scott: I don’t know.
Scott: I don’t know.
Scott: The answer is yes, possibly, but maybe not.
Peter: When it does, when it’s the time-driven version, it tells me that.
Peter: It tells me one password will periodically prompt you.
Peter: This one did not do that.
Scott: Okay, so go back into one password settings now and just make sure that your security is the same.
Scott: It should be.
Peter: You mean Ubico settings, or one password settings?
Scott: No, one password.
Scott: Go into one password security settings and make sure that it still has your biometrics enabled.
Peter: General, advanced, advanced, privacy security, unlock, touch ID, Apple Watch, confirm my account password every so many days, auto lock after the computer is idle for four hours, lock on sleep screensaver or switching users.
Peter: That is checked.
Peter: But again, in the past, I’ve been able to unlock with a thumbprint.
Peter: So I’m going to try something.
Peter: I’m going to lock my screen again.
Scott: Or just lock one password.
Peter: I’m going to log back in with my Touch ID.
Peter: But one password again has locked and is again requiring my password, not giving me the option for my thumbprint, which is interesting.
Scott: I don’t know how to help you.
Peter: One password is trying to set up Touch ID for your account.
Peter: Touch ID to allow this.
Peter: So I think whatever we did revoked my previous…
Scott: No, Peter, I have that happen all the time.
Scott: I have that happen all the time.
Scott: Whenever it does like half the time or maybe a third of the times that it makes me type in my password again, then like I share a vault with someone else for work related purposes, and that one has different passwords.
Scott: So it does not allow me to log in to it.
Scott: When I give it the password for that one, it always does that.
Scott: It says the same thing.
Scott: I’m trying to set this up for Touch ID.
Scott: And that was way before YubiKey.
Scott: That was way before YubiKey.
Peter: Very interesting, not disputing you.
Peter: That has never happened to me before.
Scott: I understand, but I’m just saying, it has happened to me all the time without YubiKey.
Scott: It’s not, I’m not saying that the YubiKey didn’t trigger something, but I am saying it doesn’t necessarily mean that it’s specific YubiKey related.
Peter: I think the timing is awful funny, though, that I’ve literally never gotten that prompt before, and I just did now.
Scott: Yeah, but I’m just saying I think it triggered some standard one password behavior.
Scott: One password has done this before.
Scott: And don’t forget, you also have multiple accounts in your one password.
Scott: And usually it’s a secondary account.
Scott: If you enter your one password password, that’s only for one of your accounts.
Scott: Your other accounts presumably have different passwords.
Peter: I only have one password account at this point.
Scott: Oh, okay.
Scott: Gotcha.
Peter: Yep.
Peter: Yep.
Peter: Okay, so that’s interesting.
Peter: So we’ve set up that YubiKey.
Peter: Sorry, we’ve set up the 5Cnano to allow logins, but it’s with the pin.
Peter: So…
Scott: Well, you don’t have NFC on your Mac.
Peter: Right.
Peter: So, but even if I did, would I not have to tap and then give the pin?
Peter: It’s still tapping pin, right?
Peter: Because this is plug-in and pin.
Peter: I don’t know.
Scott: I guess so, yeah.
Scott: I think so.
Scott: Yes, you would still have to enter the pin.
Peter: Right.
Peter: So, what I’ve done is, I’ve swapped my second, my alternate biometric login using my thumbprint to using the key instead.
Peter: So, instead of doing my touch ID as an option or password as an option, now I have the YubiKey as another option.
Scott: As another option, yeah.
Scott: You can still use touch ID, of course.
Scott: And if you had an Apple watch still, it would still let you unlock it with the watch, et cetera, et cetera.
Scott: So, that was going to be my question to you, which is, if I have a YubiKey, should I disable all that?
Scott: Because let’s say that I’m going through a country who’s, oh, I don’t know, border control has recently become somewhat militarized, and they want in.
Scott: Well, if my watch opens it, that’s bad.
Scott: So, I guess what I’m saying is, does it actually do me any good to add the YubiKey, but not take away some of those other things?
Scott: Am I any more secure?
Scott: I don’t think so.
Peter: If you take, well, you’re still going to, if you power off your laptop, I believe no matter what you have, you’re still going to require a password to log in the first time, aren’t you?
Scott: That is true.
Scott: Yeah.
Peter: So, we should double check on that, which I can’t do without kicking us off, right?
Scott: No, I’ve powered off my laptop before.
Scott: You are correct about that, yeah.
Peter: Right.
Peter: So, essentially, it’s like, you know, it’s the something you have.
Peter: So, you could, say, for instance, ship a YubiKey separately, like FedEx overnight that to my destination, where I’m going, and disable Touch ID.
Scott: Oh, Lord.
Peter: And when I go through customs, I’m like, dude, I cannot unlock this thing.
Peter: Sorry.
Peter: So, yeah, in our exact use case as it is right now, I am questioning the utility of this because…
Scott: Right now, it’s just giving us another option.
Peter: It’s giving us another option, right?
Scott: And I will say a less convenient option than just using a catch ID or an app.
Peter: Now, here’s the thing.
Peter: One of the old adages is that security and convenience are inversely proportional.
Peter: So is that true?
Peter: Does that hold up in this case?
Peter: Is this more secure because it is less convenient?
Scott: Well, it’s more secure in the sense that you have to have physical possession of the Ubico, Ubiqui, and you also have to know the pin for it.
Scott: So it is something that you know and something that you have.
Peter: Right.
Peter: As opposed to something that just, well-
Scott: Whereas your finger is something you have, but you don’t know.
Peter: No, it’s technically no.
Peter: Biometrics is something you are, which is something different.
Peter: That’s a different category.
Scott: Well, you have a finger, so I protest.
Scott: Right, but that’s not how it’s-
Scott: No, but who’s the standards body that I need to take this up with?
Peter: That would be either ANC or ISO, I think.
Peter: Probably ISO.
Scott: Got it.
Scott: I’m there.
Scott: So anyway-
Peter: Along with all the other security issuing certification bodies, so ISC squared, GAC, CompTIA, you’re going to be busy for a little while, just FYI.
Scott: I’ve heard there’s a lot of bodies in the security arena and now I’m starting to believe it.
Scott: Okay, so anyway.
Scott: Anyway, no, I think it’s good.
Scott: I think, oh, so yeah, it’s something you have, something you know, something you know you have.
Scott: No, that part wasn’t part of it.
Scott: It’s something you know you have.
Scott: Do you know you have your YubiKey?
Peter: I know I have my YubiKey, yes.
Peter: Yay, security!
Peter: So your factors, your authentication factors, it’s something you know, something you have, something you are, some place you are.
Scott: Oh, could I make it so I can never log in to my Mac unless I’m in Kagoshima, Japan?
Peter: Is that possible?
Peter: Sure it’s possible.
Peter: I wouldn’t know how you would do it though.
Peter: But you can do geo-restrictions.
Scott: That would be amazing.
Scott: Then I would have to go live in Kagoshima.
Peter: You have to.
Peter: There’s no choice.
Scott: Yeah, I can’t get in my laptop.
Scott: I’m sorry.
Scott: I got YouTube videos lined up here to watch.
Scott: Come on.
Scott: All right, Peter, do you feel better about yourself now that we’ve done that?
Peter: No.
Scott: Oh, darn it.
Peter: Not really.
Peter: I mean, maybe I’ll feel better after I go kayaking later.
Scott: So this procedure is not going to be in your self-help book, Ten Steps to Mental Well-Being or whatever you’re going to call it.
Peter: That wasn’t high on my priority list.
Scott: Oh, you got to name it One Weird Trick to Mental Well-Being.
Peter: Bingo.
Peter: Right.
Peter: This one weird trick helped my mental well-being.
Peter: Now, here’s the next thing I could do.
Peter: I could add my biometrics to my YubiKey C Bio Fido Edition.
Scott: Biohazard Fio Edition.
Peter: But again, I question the utility of this because I already have a device.
Peter: My Mac already has Touch ID.
Scott: Yeah, but that Touch ID sensor never goes away from the Mac.
Peter: Right.
Scott: So it’s actually less secure because you can separate that YubiKey from the Mac, and then it’s Touch ID.
Peter: There we go.
Peter: And that answers the previous question because they said it was less convenient.
Peter: That’s an example here.
Peter: You have to have this specific YubiKey and your associated biometrics.
Scott: Right.
Scott: It’s like if Apple sold you the Touch ID sensor separately.
Scott: Separately.
Scott: It was a separate part.
Scott: There’s a question, though.
Peter: We haven’t set up one of these bio ones yet, so we don’t know, does it require a pin in addition to the biometrics, or is that pin separate from biometrics?
Scott: I don’t know the answer to that.
Scott: I would hope that it would require a pin in case your biometrics failed.
Scott: Like if for some reason, look, I don’t know if you’ve ever noticed this about Touch ID, especially when the Apple used it or the iPhone used it, and it was like thumb.
Scott: Well, at work, I was going through a period of time where we were getting tons of semiconductor test equipment in.
Scott: It’s heavy, it’s huge, it requires unpacking, uncrating, moving.
Scott: My thumb prints would get messed up.
Scott: And Touch ID would not work.
Scott: So all I’m saying is, let’s say you refinish your cabinet or something, or, I don’t know, build a prison for your enemies in your dungeon.
Scott: You might not be able to actually get it to work that day.
Scott: So I’m hoping that it has a pin for reasons like that.
Peter: At the moment, I’m not able to get the darn nano out of its USB-C port.
Peter: Okay, I have done that.
Peter: And my hand is starting to cramp up.
Peter: And that is an indicator that I have not had enough electrolytes for today.
Peter: This show should be sponsored by Element, but it’s not.
Peter: So I’m not going to tell you anymore.
Peter: So let’s go through and repeat that setup process that you and I did, Scott.
Peter: Also, this show should be sponsored by Yubikey.
Scott: I know, I was just going to say, okay, we’re already 54 minutes in.
Scott: Are you going to be able to whip through this?
Scott: It should be faster.
Scott: I do agree.
Peter: Especially if you walk me through it and I just follow along.
Scott: It should not be 54 minutes.
Scott: It should be 53.
Peter: We’re going to set up the Yubikey Bio, sorry, Yubikey C Bio Fido Edition.
Peter: Now, this is only Fido.
Peter: This is not FIPS.
Peter: So it doesn’t have as many options and it’s not as compatible as the other options, the other units that you and I are using.
Scott: I know that one’s a dog and one’s not and that’s all I know.
Peter: Correct.
Peter: So I have now plugged it in and it shows up in the Yubikey Authenticator thing.
Peter: I’m a bobber.
Scott: Yeah, now the good news is I’m hoping that after you change your pins and all that other stuff, I’m hoping that it automatically does give you a notification this time since you’ve already said the app can give you a notification.
Scott: So let’s give it a shot.
Scott: So now click on certificates again.
Peter: Before we go any further, one thing that’s different on this one is it now has a fingerprints section.
Peter: So on the left side, it shows the Yubikey name, Yubikey C50, you know, the serial number, the firmware, home.
Peter: Now this one says home fingerprints, pass keys.
Peter: So I have a new session for new fingerprints setting.
Scott: Okay.
Scott: So after we set up your certificates, we can set up your fingerprint then.
Peter: Bingo.
Peter: All right.
Peter: So where do we start again?
Scott: Certificates.
Scott: Let’s see.
Peter: I’m in.
Scott: Click on that specific Yubikey.
Scott: Yeah.
Peter: I click on the Yubikey.
Peter: Is that settings?
Peter: I don’t have certificates.
Peter: It’s different.
Peter: It looks very different from the other one.
Scott: Okay.
Scott: So what’s the name of your, what’s the product?
Peter: Yubikey C Bio Fido Edition.
Scott: Yubikey C Bio Fido Edition is incompatible with Mac.
Scott: Mac OS login.
Scott: It’s incompatible for Mac OS login.
Peter: Okay.
Peter: But what I can do then for this is I could throw pass keys onto it and I could throw fingerprints onto it.
Scott: Yeah.
Peter: Yeah.
Scott: Right.
Peter: And I can set a pin for it.
Scott: Yeah.
Peter: And then I would associate this with a service like one password or something else.
Scott: Right.
Peter: But again, not having, you know, like I already have a fingerprint scanner on this Mac.
Peter: So it wouldn’t help there.
Peter: But I could use it as an alternative on my…
Peter: Okay.
Peter: So here’s your use case.
Peter: Assuming your thumbs and fingerprints are not getting shredded by heavy lifting, but you’re in the wintertime wearing a hat and a mask and fogged over glasses, you can remove your thumb in the cold for a brief instance.
Peter: Use your thumbprint to not dedicate this.
Scott: I think you meant remove your gloves, not remove your thumb.
Peter: Remove your thumb from your gloves.
Scott: Oh, yeah.
Peter: And then you could use that.
Peter: So you could basically go back to the old touch ID model option on iPhones, which now has been replaced with Face ID.
Scott: Now, Peter, if you would have ponied up an extra $4,000 for the Ubiqui C Bio Multi-Protocol Edition, that one would be compatible with Mac OS Login.
Peter: I should have had them send me one of those as a demo, huh?
Peter: All right.
Peter: So let’s go through them really quickly.
Peter: I’m going to set up.
Peter: This is going to be the C Bio pin.
Peter: I need to set a pin, create a new pin.
Peter: Okay.
Peter: I will use that pin.
Peter: So I’m going to click on set pin under FIDO protection, and I will confirm the pin.
Peter: I am visually making sure it’s the same.
Peter: I have confirmed my pin.
Peter: That is done.
Peter: Now I can add fingerprints.
Peter: Zero of five fingerprints registered.
Peter: Press your finger against the key to begin.
Peter: Keep touching it repeatedly.
Peter: All right, I’m doing that.
Scott: I was always told that was a bad idea.
Scott: Sorry.
Peter: Or Peter.
Scott: He just watched a podcast.
Peter: Just, you know, like people say that you and I have great chemistry, and I don’t think they know what that means.
Peter: I really don’t.
Scott: We just have chemistry, and I’ve taken all of it.
Peter: We have chemistry, right.
Scott: No, hey, by the way, that reminds me, speaking of chemistry and being weird, I want to, at some point, I do want to talk about the change in my dreams based on a cholesterol medication that I’ve been taking.
Scott: And my doctor, it’s actually kind of great.
Scott: But we’ll get into that a different time because this episode is way over.
Peter: All right.
Peter: I am enrolling my various digits.
Scott: It’s always good to have your digits enrolled.
Peter: Enroll your digits.
Peter: Tell your friends.
Scott: Tell your friends.
Scott: What if your only friends are your digits?
Scott: All right.
Peter: Well, then you should stop repeatedly touching them.
Scott: All right.
Peter: So I have added my fingerprints and I have added my pin.
Peter: So now, I guess, pass keys.
Peter: So this is where I would now have to go into a FIDO compatible device, such as, I don’t know, one password.
Scott: Yeah, one password will let you add a pass key.
Peter: Okay.
Peter: So now, this only let me put in a pin.
Peter: There’s no option to do certificates, so there’s no pin unlock code or key.
Scott: Yeah, that is interesting.
Peter: And there’s no management key.
Scott: And I’m wondering if it’s because it’s only FIDO as opposed to those other protocols.
Peter: Bingo.
Peter: I think those are FIPSy things and FIDO doesn’t support those.
Scott: FIDO ain’t got no FIPS.
Peter: FIDO ain’t got that.
Peter: No FIPS.
Peter: So, okay.
Peter: So, for completeness’ sake, what would I do then?
Peter: Would I go to onepassword.com and add a security key?
Scott: Yes.
Peter: So, let’s sign in to…
Peter: So, now I’m signing in to One Password on the web interface.
Peter: Let’s see what that looks like.
Scott: Go to our other non-sponsor.
Peter: It remembered that I was already in and logged right in.
Peter: It didn’t call me to anything.
Scott: That happened to me too yesterday when I was playing around with it.
Peter: Okay.
Peter: So, I am back to One Password.
Peter: I’m clicking on my person.
Scott: Don’t forget to say non-sponsor One Password.
Peter: Non-sponsor.
Peter: Yeah.
Scott: We’re trying to guilt them into sponsoring us.
Peter: So, like, almost 20 years ago, when I first started getting into podcasts, there was one that I listened to called the Run Your Own Server Podcast.
Peter: And it was just a bunch of sysadmins talking about sysadmin stuff.
Peter: But they had a reverse sponsor every episode, meaning they would basically pitch something, you know, like Apache or whatever.
Peter: So I thought it was kind of funny.
Peter: All right.
Peter: So I’m going into one password.
Peter: I’m going to two-factor.
Peter: Sorry.
Peter: I went to settings, admin console, profile, two-factor authentication.
Peter: And now I’m going to add a security key.
Scott: Now you made me wish that podcast still existed.
Scott: It’s in archive.org.
Scott: I don’t know if the actual audio files are, though.
Scott: I would guess not.
Scott: No, there are download options, including MP3.
Scott: All right.
Peter: All right.
Peter: So now it says add a security key, plug in your security key, and activate it now.
Peter: I almost spilled my beer.
Scott: All right.
Peter: I’ve unplugged it.
Peter: I’m now plugging it in.
Scott: You’re not spilling my beer.
Peter: Now it’s asking me where to save this pass key.
Peter: And of course, one password wants to save the pass key in one password, which I think I don’t want to do, right?
Peter: I was trying to save this pass key on the YubiKey.
Scott: No, because you’re saving it for one password.
Peter: But my web, my one password browser extension has popped up asking me where to save the pass key, and it’s offering to save it back into the one password account, which I don’t think I want to do.
Scott: No, it did.
Scott: So when I created a pass key for my YubiKey for password, remember, it has to know what that pass key is.
Scott: There’s two parts of the pass key.
Scott: There’s the public part and the private part.
Peter: Okay.
Peter: So the public key will go into one password.
Scott: Your private parts are going to be on your YubiKey.
Scott: Yeah.
Scott: And your public parts are going to be in one password.
Peter: Okay.
Peter: But this is confusing because it’s offering to save it to update my existing.
Scott: Update your existing one password entry, not existing key.
Peter: But I’m just making sure that that’s exactly what’s going on.
Peter: Because I don’t want to…
Peter: That is.
Scott: I’m telling you.
Scott: When it says update existing, it means it’s going to update that existing one password entry.
Peter: Account with a new passkey.
Scott: Yes.
Scott: Yes.
Scott: All right.
Peter: I’m clicking save.
Peter: And it says your security key was successfully registered.
Scott: Yeah.
Scott: Now if you go look at one password and you look at that account, there will be a passkey there.
Peter: I see a YubiKey C bio sitting there now.
Scott: Yeah, exactly.
Peter: But when I click into the YubiCo authenticator, I don’t see any passkeys stored on this.
Scott: Uh, I don’t know.
Scott: I don’t have my YubiKey present, so I can’t…
Scott: Right.
Peter: I wish there was a simple way to just verify what I just did.
Peter: You know, like, reprompt for this, make sure this works kind of thing.
Peter: Um, let’s go back in to iCloud.
Scott: Well, I think you can do that, Peter.
Scott: You can lock one password right now.
Peter: But locking it does not prompt me for two-factor authentication all the time.
Peter: It just prompts me for a password or something.
Scott: No, it should prompt you for something other than a password this time, because you just typed in your password last time.
Peter: Interesting.
Peter: Now, here’s the other thing.
Peter: Real quick, I just tried to sign in to iCloud, and it is saying, insert your security key and touch it.
Scott: Wait a minute, is this the one that you set up for iCloud earlier?
Peter: This is the one, this is a previous one that I already have.
Peter: It’s aware, so I am now put it in.
Peter: I’m waiting for it to stop blinking.
Scott: By the way, with the UBKeyC NFC, the one that you sent me, am I supposed to touch that thing that’s blinking at some point?
Scott: Is that how you send the key to a specific app?
Peter: If you plug it in, you touch.
Peter: If you just tap, you don’t need to touch that thing.
Scott: Oh, okay.
Scott: So, touching that thing is equivalent to a tap.
Scott: You’re saying, now send the number.
Scott: How does it know which number?
Scott: It depends on the app that you have open, I would guess.
Peter: I mean, it’s going to recognize.
Peter: Yeah, that’s a good question.
Peter: I don’t know which certificate to use.
Scott: It probably just runs through them all until it gets one that it gets accepted, right?
Scott: Because there’s only five certificate slots.
Peter: Yeah, but doesn’t the certificate, if you’re doing public key, man, I’m really weak on my photography.
Scott: So, look at it this way, Peter.
Scott: When you try to SSH into a server, and you have multiple SSH keys on your computer, it’ll run through them all.
Scott: I know this because I got locked out of some servers on Linode because I had too many keys, and I had to change how I did it.
Peter: Yep.
Scott: So, it probably just runs through all five of them until it gets one at once.
Peter: It’s possible.
Peter: Okay.
Peter: So, I’m trying to add this security key, and it has told me in an iCloud, I’m trying to add the security key in the web browser, and it’s telling me that I must continue on device, and it sent me over to the sign in and security section.
Peter: And I see two-factor authentication is on, and it sends me into security keys.
Peter: This is on my Mac, by the way.
Scott: Under system settings?
Peter: Yep.
Scott: Where in system settings?
Scott: Tell me.
Peter: Under sign in and security.
Scott: I don’t have sign in and security.
Scott: I see privacy and security.
Peter: Let’s see.
Scott: Privacy and security under Apple account.
Peter: It’s iCloud.
Peter: It’s under iCloud.
Scott: Oh, okay.
Scott: Gotcha, gotcha, gotcha.
Peter: Right.
Peter: So again, this is not for logging into your Mac.
Peter: This is logging into iCloud.
Peter: So you go to iCloud, sign in security, two-factor authentication, security keys, add a security key, clicking the plus sign, like add security key, click continue.
Peter: Enter my Apple account password.
Scott: My security key is not in there yet because I haven’t done that.
Scott: Yeah.
Scott: That is beautiful.
Peter: Okay, I punch in my local password so that I can do Apple stuff.
Peter: And it says, now add security keys, insert and activate your new security keys.
Peter: So I now plug in my bio.
Peter: It’s thinking, it’s thinking, the light is blinking.
Peter: And I wonder to activate it if I need to touch it and give it my thumbprint or my fingerprint here.
Scott: Peter, I do have a question.
Peter: And yes, it works and says name security key.
Peter: I will name that UBKey.
Scott: Please name it biohazard.
Scott: Biohazard.
Peter: Well, you can rename them though.
Peter: It’s just one of the things that I see.
Peter: All right, UBKey C bio is in.
Peter: So now I have the option of using my thumbprint.
Peter: So this one, I probably will take this one with me traveling and leave one of the other ones behind at home.
Peter: The question is, do I take the NFC, do I leave the NFC one or?
Scott: Yeah, the question that you have to ask yourself is, do you take the one that you configured for Mac login or do you just say, I don’t care about the Mac login?
Peter: I don’t care about the Mac login.
Scott: There you go.
Peter: I really don’t.
Scott: Right, because in order to log in again, they have to pull a password out of your head.
Peter: Right, and now I do see a passkey stored in the UBKey authenticator.
Peter: I see the passkey for iCloud, for apple.com stored on the UBKey co-authenticator.
Scott: There still is an existing question of whether one password is set up correctly.
Scott: That is true.
Scott: I agree with you on that.
Peter: I mean, well, no, I have used one password.
Peter: It has prompted me like two or three times since I set this up two days ago to tap or insert my device, and I have used it.
Scott: OK, so even though the certificate didn’t show in the UBKey, it still worked.
Peter: Correct.
Scott: Interesting.
Scott: OK.
Scott: So one password’s doing it differently somehow.
Peter: Somehow, yes.
Scott: All right, so here’s my question for you.
Scott: Under those iCloud sign-in and security two-factor authentication, I have two trusted phone numbers, one being mine, the other being my wife’s.
Scott: Is that just an SMS thing?
Scott: In which case, I don’t feel good about that, because phone numbers, SIM swapping is a thing.
Scott: I don’t know if I should actually have trusted phone numbers.
Scott: Do you have trusted phone numbers in there?
Peter: I do not believe I have trusted phone numbers.
Scott: Maybe I should take those away.
Scott: What does it say if I click on one of those?
Scott: It says, this number can be used to verify your identity.
Scott: Yeah, I’m thinking I might remove trusted phone numbers, because, again, phone numbers, those numbers can be moved at any time by random people.
Scott: I don’t know what I mean, Burn.
Peter: So on a related note, I just happened to be looking at sign-in security, and there’s an option to add a legacy contact as well.
Peter: And I figured I would do that.
Peter: But unlike the iCloud trusted contact, in case you get locked out, apparently you can only add one legacy contact.
Scott: Legacy.
Scott: I have my wife as my legacy.
Peter: I don’t have a wife.
Scott: You can have my wife as your legacy contact.
Peter: No, you’re good.
Peter: One husband is enough for her.
Scott: No, just as a legacy contact.
Scott: Just that’s it.
Scott: I take back all the things I said earlier about sharing.
Scott: I’m not that.
Scott: Okay.
Scott: So interesting.
Scott: So I’ll add my key to that.
Scott: Thank you for walking me through that, because now I know how to do it.
Scott: And I probably am going to take those phone numbers away.
Scott: And now speaking of biohazards, Peter, let’s end this podcast soon.
Peter: So I just had a thought, though.
Peter: I think what I will probably do is, remember when I was talking about where to leave a key and which key would leave where or whatnot?
Peter: I think leaving the thumbprint, the nano, sorry, the UBKey bio, leaving that plugged into my docking station at home makes the most sense.
Peter: Because without my fingerprint, you can’t get into this thing.
Peter: So it’s still, if I get prompted, not for login to Mac OS, but if I get prompted to log in to one password and it requires a UBKey, I can just leave this here all the time at my desk where I do the bulk of my computing and just touch it and we’re good.
Scott: That’s true.
Scott: And you’ve got multiple keys set up for one password, and now you have multiple keys set up for iCloud as well?
Scott: Is that correct?
Peter: iCloud, yes, I have, well, it only shows three security keys, but if I refresh that page, it should show, huh, it still only says three security keys.
Peter: Reload the page, refresh, and four security keys.
Scott: Okay.
Peter: Yes.
Scott: All right, good.
Peter: So now the question, again, back to the question is like, how many of these do I take with me on my next trip?
Scott: All four of them and they should all be on the same key ring.
Scott: Wrong.
Scott: All right.
Scott: No, that does bring up one quick question before.
Scott: Okay, go for it.
Scott: Where, when you carry a YubiKey with you, how do you carry it?
Scott: What do you carry?
Scott: So I know that you said something about a passport wallet, but let’s say you’re just walking around every day in the United States of America.
Scott: You’re not traveling, so you’re not wearing your passport belt or whatever.
Peter: Right.
Peter: I mean, if I was going to carry one around with me every day, well, I guess I’m asking if I if I set up, because I added it to one password.
Scott: So isn’t it possible that at some point on my phone, one password will prompt me for it while I’m out on the boat?
Peter: Absolutely.
Peter: And that was my main concern.
Peter: And that was one of the reasons that I did not set up a passkey or a hardware security key for so long, because I didn’t know, like, how often is this going to do it?
Peter: I thought it was going to be prompting me like every time I needed a password.
Scott: But even if it does it once while I’m out and I don’t carry my YubiKey, that’s inconvenient.
Peter: That’s inconvenience, right.
Peter: More secure, less convenient, right?
Scott: So what would you advise me to do?
Scott: Can I put the YubiKey on my keyring and say, I feel good about myself?
Peter: I think you can.
Scott: I’ve never lost my keys, but that doesn’t mean they won’t get stolen.
Peter: OK.
Peter: But if they do get stolen, you have a recovery key option, right?
Peter: You have a recovery password or something.
Peter: So you could get back to that.
Scott: Correct.
Peter: My plan is, like I said, I’m going to keep one of my Yubi keys with my passport, and I’m going to keep the other on my key ring with the single key that I’m taking on my trip, which is basically the key to my front door.
Peter: On a normal day, whenever I leave the house, I usually take my phone with me.
Peter: It’s very rare, but it’s not unheard of that the phone just goes in my pocket.
Peter: But if I go for a run, for instance, I’ll have it in my flip belt or in my hydration vest.
Peter: So if I needed to bring the key with me for that, I don’t know.
Peter: That was my thought was, do I just log in to one password first to make sure it knows who I am before I go out on a long run?
Peter: That’s what I would do.
Peter: But I don’t know if that actually even does anything, because periodically it’s supposed to reprompt you.
Peter: So I’m not sure.
Peter: But with a nano like this, if I have concerns, I can just shove this nano into the USB-C connector on my iPhone.
Scott: Oh, that’s true.
Peter: And not even notice.
Peter: And take it with you.
Peter: Right?
Peter: So that’s an option.
Scott: Is that a good option?
Peter: But again, if it was something where this is the only factor, you’ve just defeated the whole purpose.
Scott: Right, because now someone, either you drop your phone and someone finds it, or they steal it, and they’ve got both automatically.
Peter: Exactly.
Peter: But from what we’ve seen, it’s not going to unlock my iPhone, right?
Peter: So it’s not going to get you into my iPhone.
Peter: It’ll only get you past that into applications later on.
Scott: Right.
Peter: So the other option would be if you have one of those little wallet card additions case, you know, that lets you store cards and things like that, you could just slide a little YubiKey into that, for instance.
Peter: Not the Nano, obviously, because that’s not thin enough.
Peter: It’s got a weird form factor.
Peter: But be aware also, if you stick this thing into the, you know, into the USB-C slot, you can’t charge using the USB-C slot while you’ve got it, right?
Peter: So there’s, you know, it’s definitely, it’s good that we spent some time and talked through it on this episode.
Peter: My hope is that more than two people will benefit from this being you and me.
Peter: But if not, who knows, maybe, you know, this, you and I benefited from it and that was great.
Scott: So maybe years from now after we’re dead, someone from Ubico will listen to this and they’ll go, my god, we should have sponsored those guys.
Peter: We should have sponsored those guys.
Peter: Well, let’s do it now that they’re dead.
Scott: Yeah, let’s pay for some flowers for their graves.
Peter: Right.
Peter: So on that note, I am going to get outside.
Peter: I’m committing to do it.
Peter: I’m going to go and throw my kayak in the back of my car, drive to a little place where I can set in, and I’m going to go for a kayak ride.
Scott: Awesome.
Scott: Peter, how do people find us if they haven’t found us, which they have found us?
Peter: If they haven’t already found us, they could try harder and they could find us at friendswithbrews.com.
Peter: That’s B-R-E-W-S, not like what you see on our president’s hands with increasingly popularity these days, even though you’re seeing less of him on TV, which some might debate whether that’s a good thing or not.
Peter: We used to have both versions of friendswithbrews.com, but I’ve realized that that was kind of dumb, so I let that one expire.
Scott: But now out of zero people applauded our joke.
Peter: Yeah, but now I’m kind of no, now I’m tempted to re-register it.
Scott: Oh, actually, yes, this is the time.
Scott: Oh, man.
Scott: All right, so people go to friendswithbrews.com.
Scott: That’s B-R-E-W-S.
Scott: You’re going to need a UBI key.
Scott: But yeah, and then other than that, Peter, what about what color is the button today?
Peter: The color of the button, you mean on my UBI key?
Scott: Yes, that one.
Peter: That would be a big red button.
Scott: Tell your friends.
Peter: I just did.