A great way to improve your Mac’s security is transitioning to Yubikey only authentication. How does it secure it? Well, by doing this, you make it so that if you do not have the USB token then you cannot sign in. You have to insert the Yubikey and then enter its PIN to unlock the computer. Of course if you lose the key, then you are not able to get into your computer. We strongly recommend that you maintain at least 2 enrolled Yubikey’s at all times so you do not end up locked out.
We strongly recommend doing this on a machine to test before going live with it to make sure you have it down as this post is merely for reference purposes.
If you are wondering why you would want to do this or how it could help your business, check out our blog post How To Get The Most Out Of Yubikeys For Business.
How To Enroll Yubikey(s)
- Download Yubikey Manager
- In YubiKey Manager, click Applications > PIV
- Click Setup for macOS
- Click Setup for macOS. If you chose Protect with PIN when setting the Management Key, enter your PIN in the prompt. If you set a custom Management Key and did not protect with PIN, enter the Management Key in the prompt.
- Click OK.
- Remove your YubiKey and plug it into the USB port
- In the SmartCard Pairing macOS prompt, click Pair. Note: If this prompt doesn’t appear, see the Troubleshooting and Additional Topics section below.
- When you get a password prompt, enter the password for the user account listed in the User Name field and click Pair
- Next, you will get a SmartCard Pairing prompt. Enter the PIN for your YubiKey (refer to the Setting a new PIN section above) and click OK
- Lastly, in the “login” keychain prompt, enter your keychain password (typically the password for the logged in user account) and click OK
How To Verify Key Enrollment
- Open a terminal application of your choosing (Terminal, iTerm, etc)
- Run: sc_auth list [username]
- ex: sc_auth list john
Each hash that is displayed is from an enrolled key.
How To Unenroll Yubikey(s)
- Open a terminal application of your choosing (Terminal, iTerm, etc)
- Run: sc_auth list [username]
- ex: sc_auth list john
- Highlight and copy (Command+C) the hash listed for your user.
- If multiple YubiKey smart cards are paired with your account and you aren’t sure which hash is which, you can check the hash of a particular YubiKey by running sc_auth identities with the key in question plugged in.
- Run: sc_auth unpair -h [hash]
- ex: sc_auth unpair -h
How To Test Yubikey Login
To test the configuration, lock your Mac (Ctrl+Command+Q), and make sure the password field reads PIN when your YubiKey is inserted. Try unlocking your session with your YubiKey by entering your PIN.
Get More Insight About Mac Security
We’ve been doing this work for a long time. We will help you procure the Yubikeys and get them live in your environment so you don’t have to worry about it. Call Garden State Computing at 973-636-7350 to speak to an IT expert who will give you the information and advice you need.