Tired of spamming Yubikey one-time password (OTP) codes into Slack? Here are two options to help prevent that. You can do either or both. Both require ykman, the Yubikey CLI configuration manager. Get it with Homebrew:
brew install ykman
If you…
- …don't have Homebrew? Install it, then run the command above
- …don't feel comfortable running terminal commands? Skip to the bottom
- …aren't sure what the big deal is? See "What's the big deal with Yubikey codes?" below
By default, Yubikeys send the <Enter> character after sending the modhex code. You may disable this behavior. First, confirm which slot you have programmed:
$ ykman otp info
YubiKey 4
Slot 1: programmed
Slot 2: emptyIn this case, slot 1 is programmed. Configure the programmed slot not to send enter:
$ ykman otp settings --no-enter 1Yubikeys have two OTP slots. The device uses the duration of the touch to determine which slot to use to emit a code: slot 1 requires about a half-second touch, and slot 2 requires about a two-second touch. By default, OTP is written to slot 1, meaning it's easy to trigger accidentally. You may swap the configurations in the slots, which usually means moving the configuration progammed in slot 1 to slot 2, leaving slot 1 empty:
$ ykman otp swapThis is usually suitable when you use the OTP function of your Yubikey only rarely — if you use it often, the longer delay may be irritating.
On macOS Catalina (10.15) and above, user privacy controls may prevent ykman from functioning. If you see something like this:
Error: Failed connecting to YubiKey 4 [OTP+FIDO+CCID]. Make sure the application have the required permissions.
or this:
OSError: Failed to open device for communication: -536870174
you're likely running afoul of those protections. Add your terminal emulator (e.g. Terminal.app or iTerm.app) to the list of apps in Security & Privacy > Input Monitoring and try again.
You can't disable the <Enter> keypress, but you can still add an OTP triggering delay as described above.
Download and install the YubiKey Manager tool. Then:
- Plug in your YubiKey
- Click "Applications," then "OTP"
- Click "Swap" to swap the configuration from the short-touch slot, slot 1, to the long touch slot, slot 2
Besides being somewhat annoying and confusing to the people on the receiving end of accidental Yubikey OTP codes, they also represent a security concern. A Yubikey OTP is often accepted as a second authentication factor for secure services, in the same way an SMS OTP might be. Accidentally sending your Yubikey OTP to others is a lot like accidentally forwarding one of those six-digit SMS codes to others. In fact, it's worse!
A Yubikey OTP is a encryption-based OTP, similar to HOTP. Unlike SMS or email OTPs, which typically expire after a short period, Yubikey OTPs are valid until they, or a later generated code, are used for authentication. Until then, your authentication is vulnerable to a buffered replay attack, where someone uses your accidentally-sent code to log in as you, in combination with stolen credentials.
In short, when you send a Yubikey OTP to others, you may be reducing the security of the accounts it protects.