Recently I acquired a Yubikey. Product from Yubico, it allows you to generate OTP with a very elegant solution - just touch small USB stick on the metal panel on its front face and it will type the password as if you typed it with your keyboard. Naturally, it works with almost everything.
Yubikey has several modes it can work, one of them is "Static Password" mode. "Static Password" means you don't get "One Time Password", but instead Yubikey became just a portable password holder. You touch the stick and it'll type predefined password as if you did it! It's obvious solution to protect login to your system - exactly why I bought it.
I use Mac and of course I wanted full protection by enabling FileVault feature - on-the-fly data encryption. It seamlessly, and with very little performance lost, encrypt data on your main drive. I, using SSD, didn't feel any difference with my usual workflow - browser, git (with very big repos), Eclipse for cpp, Xcode for obj-c, Idea for everything else.
With FileVault enabled, your login screen changes - MacOS boots for very ascetic pre-boot login screen and asks for a password. The reason for this behaviour is, that it needs a password before it can begin to boot! Without a password it can't decrypt your hard drive. And it is on that screen where a whole lot of trouble awaited me. I rebooted, plugged Yubikey, touch it, watched small asterisk to fill password field and... FAIL. It can't boot! WTF-ZOMG-where-that-piece-of-paper-with-password! Thankfully, I saved password on a piece of paper before rebooting. I typed it by myself and it logged in! Oооh the relief.
After some time banging the wall I found out where the problem was. Yubikey is entering its password too quickly. It may be a bug, or may be some anti-brute-force measure, but if you enter the password to quickly some of the letters seems to be missing :)
There is a workaround - Yubikey has a special option for this, it's called Output Speed Throttling, and can be found in the Yubikey Personalization Tool -> Settings. It will work only after you will write configuration to a slot and it will be saved for this configuration (cost me some time to figure it out).
Yubikey has several modes it can work, one of them is "Static Password" mode. "Static Password" means you don't get "One Time Password", but instead Yubikey became just a portable password holder. You touch the stick and it'll type predefined password as if you did it! It's obvious solution to protect login to your system - exactly why I bought it.
I use Mac and of course I wanted full protection by enabling FileVault feature - on-the-fly data encryption. It seamlessly, and with very little performance lost, encrypt data on your main drive. I, using SSD, didn't feel any difference with my usual workflow - browser, git (with very big repos), Eclipse for cpp, Xcode for obj-c, Idea for everything else.
With FileVault enabled, your login screen changes - MacOS boots for very ascetic pre-boot login screen and asks for a password. The reason for this behaviour is, that it needs a password before it can begin to boot! Without a password it can't decrypt your hard drive. And it is on that screen where a whole lot of trouble awaited me. I rebooted, plugged Yubikey, touch it, watched small asterisk to fill password field and... FAIL. It can't boot! WTF-ZOMG-where-that-piece-of-paper-with-password! Thankfully, I saved password on a piece of paper before rebooting. I typed it by myself and it logged in! Oооh the relief.
After some time banging the wall I found out where the problem was. Yubikey is entering its password too quickly. It may be a bug, or may be some anti-brute-force measure, but if you enter the password to quickly some of the letters seems to be missing :)
There is a workaround - Yubikey has a special option for this, it's called Output Speed Throttling, and can be found in the Yubikey Personalization Tool -> Settings. It will work only after you will write configuration to a slot and it will be saved for this configuration (cost me some time to figure it out).
But i didn't want my input to be slow. I wanted it to be slow only when using FileVault login screen, which is rare - only after reboot. I found a solution, but it using both configuration slots - fine by me. So here's my solution:
- Set Output Speed Throttling to standard
- Save password to Configuration 1
- Set Output Speed Throttling to 60ms
- Save same password to Configuration 2
That's it! Now you can use fast touch to Yubikey to produce fast typing and slow (~2.5 sec) touch to produce slow typing when needed.
Also a tip - if you use advanced password, to generate the same password to second slot you can peek configuration for it at configurations log. Mine is at ~/configuration_log.csv
