Boost Your Mac’s Security: How to Get Started with YubiKeys

by | Nov 15, 2024 | Technical

Cloud Computing Companies

A great way to improve your Mac’s security is transitioning to Yubikey only authentication. How does it secure it? Well, by doing this, you make it so that if you do not have the USB token then you cannot sign in. You have to insert the Yubikey and then enter its PIN to unlock the computer. Of course if you lose the key, then you are not able to get into your computer. We strongly recommend that you maintain at least 2 enrolled Yubikey’s at all times so you do not end up locked out.

We strongly recommend doing this on a machine to test before going live with it to make sure you have it down as this post is merely for reference purposes.

If you are wondering why you would want to do this or how it could help your business, check out our blog post How To Get The Most Out Of Yubikeys For Business.

Cloud Computing Companies

How To Enroll Yubikey(s)

  1. Download Yubikey Manager
  2. In YubiKey Manager, click Applications > PIV
  3. Click Setup for macOS
  4. Click Setup for macOS. If you chose Protect with PIN when setting the Management Key, enter your PIN in the prompt. If you set a custom Management Key and did not protect with PIN, enter the Management Key in the prompt.
  5. Click OK.
  6. Remove your YubiKey and plug it into the USB port
  7. In the SmartCard Pairing macOS prompt, click Pair. Note: If this prompt doesn’t appear, see the Troubleshooting and Additional Topics section below.
  8. When you get a password prompt, enter the password for the user account listed in the User Name field and click Pair
  9. Next, you will get a SmartCard Pairing prompt. Enter the PIN for your YubiKey (refer to the Setting a new PIN section above) and click OK
  10. Lastly, in the “login” keychain prompt, enter your keychain password (typically the password for the logged in user account) and click OK

How To Verify Key Enrollment

  1. Open a terminal application of your choosing (Terminal, iTerm, etc)
  2. Run: sc_auth list [username]
    • ex: sc_auth list john

Each hash that is displayed is from an enrolled key.

How To Unenroll Yubikey(s)

  1. Open a terminal application of your choosing (Terminal, iTerm, etc)
  2. Run: sc_auth list [username]
    • ex: sc_auth list john
  3. Highlight and copy (Command+C) the hash listed for your user.
    • If multiple YubiKey smart cards are paired with your account and you aren’t sure which hash is which, you can check the hash of a particular YubiKey by running sc_auth identities with the key in question plugged in.
  4. Run: sc_auth unpair -h [hash]
    • ex: sc_auth unpair -h

How To Test Yubikey Login

To test the configuration, lock your Mac (Ctrl+Command+Q), and make sure the password field reads PIN when your YubiKey is inserted. Try unlocking your session with your YubiKey by entering your PIN.

Get More Insight About Mac Security

We’ve been doing this work for a long time. We will help you procure the Yubikeys and get them live in your environment so you don’t have to worry about it. Call Garden State Computing at 973-636-7350 to speak to an IT expert who will give you the information and advice you need.

About the Author

Douglas Haber

Douglas Haber

Douglas Haber was born and raised in Fair Lawn, a charming small town in the suburbs of NYC. He graduated from the New Jersey Institute of Technology in 2015 with a bachelors in Information Technology and the University of New Haven in 2018 with a masters in Emergency Management. He also holds certifications in Infrastructure Protection and Infrastructure Disaster Management from Texas A&M's TEEX system.

Inspired by his father, a first responder, Douglas followed the same path starting in 2010. He serves on the rescue squad in Fair Lawn and the ambulance corps in Hawthorne, where the office is located. Douglas is also a deacon in his church, embodying his commitment to serving others. In his downtime, he enjoys long drives, trying new restaurants and breweries, boating, fishing, watching sports (Go Rangers, Giants, and Mets!), and riding his bicycle.