Configuring a YubiKey for TOTP on OSX

I recently got a YubiKey FIDO U2F as part of Yubico and Github’s bromance sale at a fairly heavy discount of $13 off! Mine, including shipping, cost $11. They had issues with the initial keys they sent out being partially configured – if you tried to force setup the FIDO U2F it would brick the key. So now I have two – one that will do HMAC and static passwords (didn’t test anything else, for fear of bricking the key) and another that is a fully working FIDO U2F!

I use the Google Authenticator PAM module to force the use of 2 Factor Auth (2FA) for all my servers. I have a secret pre-made, and it’s already in the Google Authenticator app on my Note 2. I’ll save setting up and configuring the PAM module for another post, this post if just for getting your YubiKey to use the Google PAM module.

First, you need to download the YubiKey personalisation application. It is available here. The GUI tool will also install the command line tools, which we’ll need later. After you’ve installed the personalisation tools and restarted your machine, open them up and insert your YubiKey.

YubiKey Personalisation Tools without the key inserted

Screen Shot 2015-10-16 at 19.45.19

YubiKey Personalisation Tools with the key inserted

Screen Shot 2015-10-16 at 19.46.24

We’ll remove the configuration for Slot 2. This is under Tools

Screen Shot 2015-10-16 at 19.50.25

Delete Configuration

Screen Shot 2015-10-16 at 19.50.40

After you select the relevant slot (in my case, Slot 2), click Delete. You will then see the right hand side notice saying that only Slot 1 is configured

Screen Shot 2015-10-16 at 19.50.52


Next we will download and run the yubi_goog python script. This will convert the ssh user’s secret key (generated by Google or something else) into a useable format. For this example, my secret key is JBSWY3DPEHPK3PXP.

chmod +x

Now we’ll convert the secret key into a YubiKey friendly format.

./ --convert-secret


So the script has converted JBSWY3DPEHPK3PXP to 48656c6c6f21deadbeef. We’ll put this into the YubiKey’s configuration for Slot 2.

Click Challenge-Response

Screen Shot 2015-10-16 at 20.00.49


Screen Shot 2015-10-16 at 20.01.15

We need to configure Slot 2, and put the converted secret key into the Secret Key box. The secret key will be padded with zeros automatically.

Screen Shot 2015-10-16 at 20.01.38

Click Write Configuration

Screen Shot 2015-10-16 at 20.08.51


Now we’ll jump back to the command line, and see if our seed works. I have the seed on my phone already using a QR code and the Google Authenticator app. The QR code is below so you can verify.


Since the YubiKey doesn’t have a battery, it doesn’t know what time it is. Thus, it makes time based OTP a pain in the ass. To get the OTP from the YubiKey, we need to issue a challenge response to it on the correct slot.


ykchalresp -t -6 -2

ykchalresp is included with the personalisation tools app, and does the actual challenge response with the YubiKey by passing in the time ( -t flag ), the number of digits we want back ( -6 flag, for 6 digits ), and the slot ( -2 for slot 2, default is -1 or slot 1 ). If we run this, and hit the button, we’ll get the OTP back, which is 710876. You can confirm this by checking with the output from the Google Authenticator App on your phone – keep in mind that there might be a small bit of clock skew just before or just after the 30 second time window changes.