You can use your Yubikey to remember and type an arbitrary string, as well as using it as a OTP generator and a secure store for your SSH key. We use this so that we don’t have to remember our 1Password secret keys.
We use 1Password as our team secrets-management tool. It’s great, but every user needs to remember not only their username and password, but a 40-character secret key too. Normally this is saved on your machine, which is not ideal when you’re using shared computers.
The following steps show you how to configure a Yubikey to store your 1Password secret key, so that you can type with a simple button-press.
- Download and install the Yubikey Personalization Tool
- Open the Yubikey Personalization Tool, which looks like this:
- Insert your Yubikey, checking that it shows up in the right-hand side of the window:
- Click Static Password:
- Click Scan Code:
- Select “Configuration Slot 2”. If you accidentally use the first slot, you’ll overwrite the configuration that allows your Yubikey to work as an OTP generator. That would be bad.
- Choose a keyboard layout:
- Log in to 1Password:
- Click on your name and then select “My Profile” from the dropdown menu:
- Copy your Secret Key from under the “Sign-In Details” section:
- Paste your Secret Key into the Password box of the Yubikey Personalization Tool. I’ve obfuscated mine for obvious reasons!
- Remove all the dashes, as these are not needed and cause the key to be too long. You should end up with a string of 34 characters.
- Double-check that you’ve selected Configuration Slot 2, otherwise you’ll b0rk your OTP functionality.
- Click Write Configuration, which commits the changes to the Yubikey:
- Save the configuration log somewhere secure - it contains your secret.
- Open 1Password in a new incognito browser window.
- Give focus to the Secret Key field.
- Press and hold the Yubikey button for 3-4 seconds. If you get the wrong string, you probably didn’t hold it for long enough.
- Observe your very long and hard-to-remember secret key being typed into the field!
Et voila! You no longer need to remember that very long secret key, leaving you with just your username and password.