https://bitlex.li/tags/2fa/Recent content in 2fa on Learning Journey of Alexander AllgäuerHugoen-usMon, 13 Apr 2026 00:00:00 +0000https://bitlex.li/tutorials/yubikey-hmac-sha1-challenge-response/Mon, 13 Apr 2026 00:00:00 +0000https://bitlex.li/tutorials/yubikey-hmac-sha1-challenge-response/<p>Configure HMAC-SHA1 Challenge-Response on a YubiKey&rsquo;s second OTP slot.</p> <h2 id="check-slot-status">Check slot status</h2> <p>Use <code>ykman otp info</code> to make sure your second slot isn&rsquo;t already used. Slot 1 is typically reserved for Yubico OTP.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ykman otp info </span></span><span style="display:flex;"><span><span style="color:#75715e"># Slot 1: programmed</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Slot 2: empty</span> </span></span></code></pre></div><h2 id="configure-otp-slot-2">Configure OTP slot 2</h2> <p>Generate a shared secret and program <strong>both</strong> YubiKeys (primary + backup) with the <em>same</em> secret so either can open the database.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>SECRET<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>openssl rand -hex 20<span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span>ykman otp chalresp --touch <span style="color:#ae81ff">2</span> $SECRET <span style="color:#75715e"># Key 1</span> </span></span><span style="display:flex;"><span>ykman otp chalresp --touch <span style="color:#ae81ff">2</span> $SECRET <span style="color:#75715e"># Key 2</span> </span></span><span style="display:flex;"><span>unset SECRET </span></span></code></pre></div><p>The <code>--touch</code> flag is optional, but when you think about it, it absolutely makes sense — you want physical presence confirmation before the key responds.</p>https://bitlex.li/posts/yubikey/Mon, 13 Apr 2026 00:00:00 +0000https://bitlex.li/posts/yubikey/<p><strong>YubiKey</strong> is a hardware security key manufactured by <strong>Yubico</strong>.</p> <p>YubiKeys support a wide range of authentication standards, including:</p> <ul> <li>FIDO2 / WebAuthn</li> <li>FIDO U2F</li> <li>Smart card (PIV)</li> <li>OpenPGP</li> <li>OATH-TOTP / HOTP</li> <li>Yubico OTP</li> </ul> <h2 id="rule-1-always-buy-two">Rule #1: Always buy two</h2> <p>When ordering a YubiKey, always put <strong>two</strong> of them in the shopping cart. Saving a few bucks on a backup key can leave you with a single point of catastrophic failure. They come with a hole that lets you attach one to your keychain while the other stays in another safe, trusted location.</p>https://bitlex.li/tutorials/yubikey-management/Mon, 13 Apr 2026 00:00:00 +0000https://bitlex.li/tutorials/yubikey-management/<h2 id="yubikey-management-tools-installation">Yubikey Management Tools Installation</h2> <p>We need yubikey-manager Smart Card Daemon middlware.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo pacman -S yubikey-manager pcsclite ccid </span></span><span style="display:flex;"><span>sudo systemctl enable --now pcscd.service </span></span><span style="display:flex;"><span>sudo systemctl enable --now pcscd.socket </span></span></code></pre></div><p>Verify if the key is detected:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ykman info </span></span></code></pre></div><pre tabindex="0"><code> @slexi  ykman info Device type: YubiKey 5C NFC Serial number: 25997589 Firmware version: 5.4.3 Form factor: Keychain (USB-C) Enabled USB interfaces: OTP, FIDO, CCID NFC transport is enabled Applications USB NFC Yubico OTP Enabled Enabled FIDO U2F Enabled Enabled FIDO2 Enabled Enabled OATH Enabled Enabled PIV Enabled Enabled OpenPGP Enabled Enabled YubiHSM Auth Enabled Enabled </code></pre>