Slots: Yubico OTP Application

Important

The Slots feature is only available for Yubico Authenticator for Desktop and Yubico OTP-compatible YubiKeys. This includes the YubiKey 5 Series (standard, FIPS, and CSPN), YubiKey 4 Series, and YubiKey NEO.

The Slots feature of Yubico Authenticator allows you to manipulate both the short press (or short touch) slot and the long press (long touch) slot of the YubiKey’s Yubico OTP application. Each slot can be configured for one of the following types of authentication:

Slot configurations can also be swapped or deleted.

Note

Standard YubiKeys are preconfigured with a Yubico OTP in the short press slot. This credential is also preregistered with YubiCloud for out-of-the-box validation.

Yubico OTPs

A Yubico OTP (one-time password) is a unique 44-character string that is generated by the YubiKey using a secret key and other device fields. Yubico OTPs look similar to the following: ccccccjlkgjlevtdernkbbnrrvhcvdbljgchbgbdbvgk.

Yubico OTPs can be used for both single-factor and two-factor authentication. To find a list of sites and services that use Yubico OTPs, see the Works with YubiKey Catalog.

For in-depth information on the Yubico OTP and how they work, see the .NET SDK manual.

Configuration

To configure an OTP application slot with a Yubico OTP, do the following:

  1. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Slots.

    To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

  2. Click on the slot you would like to configure and select Yubico OTP under Setup.

    To find the Setup menu in a narrow app window, click the three dots in the upper right corner of the app.

    _images/configure-slot.jpg
  3. Enter a 12-digit Public ID. You can either type in your own or use a ModHex representation of your YubiKey’s serial number. If using your own ID, only ModHex characters (bcdefghijklnrtuv) are allowed. To use the serial number, click the star icon in the Public ID box.

  4. Enter a 12-digit Private ID. You can either type in your own or generate one randomly. If using your own ID, only the following characrers are allowed: abcdef0123456789. To generate a random 12-digit ID, click the arrow icon in the Private ID box.

  5. Enter a 32-digit Secret key. You can either type in your own or generate one randomly. If using your own key, only the following characrers are allowed: abcdef0123456789. To generate a random 32-digit secret key, click the arrow icon in the Secret key box.

  6. By default, an Enter keystroke will be applied to the end of the OTP. This means that when the OTP is generated and typed into a field on a login screen, you won’t have to click another button to start the validation process. To remove the Enter keystroke, click Append until the check mark disappears.

  7. To export the credential to a file, click on the export file drop-down menu and click Select file. Enter a name for the file, select a location, and click Save. You should now see the name of your file in the drop-down. This step isn’t required, but keep in mind that these fields will need to be shared with the validation server for every site or service you wish to authenticate to with this Yubico OTP configuration, so they will need to be saved somewhere (at least temporarily).

    If you elect to save the credential fields to a text file, they will be in a comma-separated list in the following order: YubiKey serial number, Public ID, Private ID, Secret key, date and time the configuration was created.

    _images/create-yubico-otp.jpg
  8. Click Save to complete the configuration. If the slot is already configured with a credential, click Overwrite when prompted.

  9. Once configured, share the credential fields with the validation server for every site and service you wish to authenticate to with this Yubico OTP configuration. Remember, during Yubico OTP authentication, the validation server must decrypt the OTP with the secret key in order to determine validity. If the server does not have this information, it cannot validate any OTPs generated with your new configuration for any account.

    If a site/service uses the YubiCloud validation service, these fields can be uploaded at https://upload.yubico.com/. If a site/service uses an alternative validation server, refer to their setup instructions.

  10. After the credential has been added to the appropriate validation servers, you must register your key with your accounts. See the Works with YubiKey Catalog for setup instructions for your particular sites/services.

    This step links the Public ID for the credential with your account; if the Public ID of an OTP submitted for validation does not match the Public ID linked to your account, the OTP will be rejected.

Authentication

To generate and submit a Yubico OTP from a configured slot during an authentication attempt, simply place your cursor in the appropriate text field and tap the YubiKey to activate the short press slot or touch and hold the YubiKey for a few seconds to activate the long press slot. The key will generate the Yubico OTP using the slot’s credential and type it into the text field.

Static passwords

A static password, as the name implies, is a string of characters that never changes. It is no different from a password that you would create for any standard account. The advantage of programming a slot with one is that you can have a long, complicated password for an account that you can store in a secure location and not have to worry about remembering it.

Static passwords can be communicated over physical connections only.

Configuration

To configure an OTP application slot with a static password, do the following:

  1. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Slots.

    To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

  2. Click on the slot you would like to configure and select Static password under Setup.

    To find the Setup menu in a narrow app window, click the three dots in the upper right corner of the app.

  3. Enter a Password up to 38 characters in length. If you’d prefer to generate a 32-character password randomly, click the arrow icon in the Password box.

  4. By default, an Enter keystroke will be applied to the end of the static password. This means that when the password is typed into a field on a login screen, you won’t have to click another button to continue the login process. To remove the Enter keystroke, click Append until the check mark disappears.

  5. Select a Keyboard layout from the drop-down menu. Choose the layout that matches the keyboard configuration on the devices you will use your YubiKey with. If you use devices with more than one configuration or you aren’t sure what they are, pick ModHex. With ModHex characters, the password will be communicated to a host device correctly, regardless of its keyboard layout setting. Note that if you select ModHex, your password may only contain the following characters: bcdefghijklnrtuv.

  6. Click Save to complete the configuration. If the slot is already configured with a credential, click Overwrite when prompted.

    _images/create-static-password.jpg
  7. If you haven’t already, register the static password with your accounts. This can be accomplished by the standard “create a new password” or “change your password” flows. If you’ve forgotten the static password you configured the slot with, simply place your cursor into any text field and activate the slot (tap the key for the short press slot or touch and hold for a few seconds for the long press slot). The static password will be typed into the text field.

Authentication

To submit a static password from a configured slot, simply place your cursor in a text field and tap the YubiKey to activate the short press slot or touch and hold the YubiKey for a few seconds to activate the long press slot. The static password will be typed into the text field.

Challenge-response

Challenge-response is a type of authentication where a host (the site, service, or application you are trying to log in to) sends a “challenge” to your YubiKey. The YubiKey receives the challenge and “responds” by hashing the challenge with a stored secret key and sending the response code back to the host for authentication.

To find a list of sites and services that use challenge-response authentication, see the Works with YubiKey Catalog.

For in-depth information on challenge-response authentication, see the .NET SDK manual.

Note

Challenge-response authentication with the Yubico OTP application works over physical connections only.

Configuration

To configure an OTP application slot with a challenge-response credential, do the following:

  1. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Slots.

    To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

  2. Click on the slot you would like to configure and select Challenge-response under Setup.

    To find the Setup menu in a narrow app window, click the three dots in the upper right corner of the app.

  3. Enter an even-numbered Secret key up to 40 digits in length. You can either type in your own or generate one randomly. If using your own key, only the following characrers are allowed: abcdef0123456789. To generate a random 40-digit secret key, click the arrow icon in the Secret key box.

    Be sure to make a copy of your secret key; you will need to share it with the validation server for each of your accounts during registration process.

  4. Optionally, toggle on Require touch. This setting requires the user to touch the YubiKey before the key will process the challenge and communicate the response to the host device.

  5. Click Save to complete the configuration. If the slot is already configured with a credential, click Overwrite when prompted.

    _images/create-challenge-response.jpg
  6. After the credential has been added to the appropriate validation servers, you must register your key with your accounts. See the Works with YubiKey Catalog for setup instructions for your particular sites/services.

Authentication

Unlike the other slot configuration types, challenge-response is initiated via an API call from the site/service/application you are attempting to authenticate to. This API call sends a challenge to the YubiKey, and the YubiKey takes the challenge (after the user touches the key if touch is required) and hashes it using the secret key the slot was configured with. The key then sends the response back to the site/service/application for validation.

OATH HOTPs

OATH HOTPs (Initiative for Open Authentication HMAC-based one-time passwords) are 6 or 8 digit unique passcodes that are used as the second factor during two-factor authentication. An HOTP looks like the following: 154916.

Generally, we recommend using the YubiKey’s OATH application for HOTP and TOTP authentication. With the OATH application, you can add OATH credentials for numerous accounts, there are more configuration options, and the Authenticator application can display these OTPs.

For in-depth information on OATH HOTPs and how they work within the Yubico OTP application, see the .NET SDK manual.

Configuration

To configure an OTP application slot with an OATH HOTP credential with the HMAC-SHA1 algorithm, do the following:

  1. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Slots.

    To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

  2. Click on the slot you would like to configure and select OATH-HOTP under Setup.

    To find the Setup menu in a narrow app window, click the three dots in the upper right corner of the app.

  3. Enter an even-numbered Secret key up to 40 digits in length. Only the following characrers are allowed: letters a through z and numbers 2 through 7.

    Be sure to make a copy of your secret key; you will need to share it with the validation server for each of your accounts during registration process.

  4. By default, an Enter keystroke will be applied to the end of the OTP. This means that when the password is typed into a field on a login screen, you won’t have to click another button to continue the login process. To remove the Enter keystroke, click Append until the check mark disappears.

  5. Select an OTP length (6 or 8 digits).

  6. Click Save to complete the configuration. If the slot is already configured with a credential, click Overwrite when prompted.

    _images/create-oath-hotp.jpg
  7. After the credential has been added to the appropriate validation servers, you must register your key with your accounts. See the Works with YubiKey Catalog for setup instructions for your particular sites/services.

Authentication

To generate and submit an OATH HOTP from a configured slot during an authentication attempt, simply place your cursor in the appropriate text field and tap the YubiKey to activate the short press slot or touch and hold the YubiKey for a few seconds to activate the long press slot. The key will generate the HOTP using the slot’s credential and type it into the text field.

Managing slots

There are only two options for managing Yubico OTP application slots: the slot configurations can be swapped or deleted.

Swapping slots means moving the configuration in the short press slot to the long press slot and vice versa. This could be useful when the credential you use most often is in the long press slot; by moving that credential to the short press slot, activation only requires tapping the key briefly instead of touching and holding for a few seconds.

Deleting a slot’s configuration is an irreversible operation, so exercise caution. We recommend registering at least one spare key with your accounts in order to maintain account access prior to deleting a configuration.

Swap slots

To swap the slot configurations, do the following:

  1. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Slots.

    To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

  2. Select Swap slots under Manage.

    To find the Manage menu in a narrow app window, click the three dots in the upper right corner of the app.

    _images/swap-slots.jpg
  3. Click Swap to confirm the operation. The configuration that was previously in the short touch slot is now in the long touch slot and vice versa.

Delete a slot’s configuration

To delete a slot’s configuration, do the following:

  1. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Slots.

    To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

  2. Click on the slot whose configuration you would like to delete and select Delete credential under Setup.

    To find the Setup menu in a narrow app window, click the three dots in the upper right corner of the app.

  3. Click Delete to confirm the operation.