djedi/privacy-toolkit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
privacy-toolkit/tools/yubico/README.md
rpriven 319efece5f
Initial commit
2025-12-31 19:44:07 -07:00

3.1 KiB
Raw Blame History

Yubico Tools Suite

Hardware security key management and authentication tools for YubiKey.

What's Included

Tool Purpose
YubiKey Manager GUI to configure YubiKey settings, FIDO2 PIN, OTP slots, PIV
Yubico Authenticator TOTP/HOTP authenticator using YubiKey hardware
yubico-piv-tool Command-line PIV/Smart Card operations

Threat Model

Protects Against:

  • Phishing attacks (FIDO2/WebAuthn is phishing-resistant)
  • TOTP code theft from compromised phone
  • Password-only authentication weaknesses
  • Remote key extraction (keys never leave hardware)

Use Cases:

  • 2FA for online accounts (GitHub, Google, AWS, etc.)
  • Password-less authentication via FIDO2
  • SSH authentication with hardware keys
  • Code signing with PIV certificates

Installation

./install.sh

This will:

  1. Install system dependencies (pcscd, smart card libs)
  2. Download and install YubiKey Manager AppImage
  3. Download and extract Yubico Authenticator
  4. Download and extract yubico-piv-tool
  5. Create launch scripts in ~/bin/
  6. Create .desktop entries for app menu

Dependencies

Installed automatically:

  • pcscd - PC/SC smart card daemon
  • libpcsclite1 - Smart card library
  • libccid - CCID driver for smart cards
  • libfuse2 - Required for AppImages
  • libu2f-udev - udev rules for U2F devices

Usage

YubiKey Manager

yubikey-manager
# or
~/opt/yubico/yubikey-manager.AppImage

Configure:

  • FIDO2 PIN
  • OTP slots (Yubico OTP, static password, HOTP, Challenge-Response)
  • PIV certificates and PINs
  • Reset YubiKey to factory settings

Yubico Authenticator

yubico-auth
# or
~/opt/yubico/authenticator/authenticator

Features:

  • Scan QR codes to add TOTP/HOTP accounts
  • Codes stored on YubiKey (not on computer)
  • Touch YubiKey to reveal codes
  • Works across devices (codes travel with YubiKey)

yubico-piv-tool

~/opt/yubico/piv-tool/bin/yubico-piv-tool --help

# Generate key in slot 9a
yubico-piv-tool -a generate -s 9a -A RSA2048

# Import certificate
yubico-piv-tool -a import-certificate -s 9a -i cert.pem

Security Best Practices

  1. Set a strong FIDO2 PIN - Required for WebAuthn
  2. Set PIV PINs - Default is 123456, change immediately
  3. Keep backup keys - Have a second YubiKey registered
  4. Store recovery codes - For accounts using YubiKey 2FA
  5. Use touch requirement - Enable touch for TOTP generation

Troubleshooting

YubiKey not detected

# Check pcscd service
sudo systemctl status pcscd

# Restart pcscd
sudo systemctl restart pcscd

# Check USB
lsusb | grep -i yubico

Permission issues

# Add user to plugdev group
sudo usermod -aG plugdev $USER
# Log out and back in

AppImage won't run

# Ensure libfuse2 is installed
sudo apt install libfuse2

Resources