I’ve had a couple of YubiKey devices for U2F auth for a while now. They are much easier to use than digging out your two-factor authenticator app.

Recently, I purchased a YubiKey 4. The major feature addition to me is the support for OpenPGP to make it easier to use OpenPGP subkeys to sign data, encrypt data, and authenticate.

The feature list for YubiKey 4 is long, but after some usage, it is like there are many separated and different functions all in one physical package.

How-To Setup and Use

So far the best OpenPGP guide with YubiKey 4 has been Suvash Thapaliya’s thorough step-by-step guide.

The OpenPGP functionality works well. Instead of a long password to remember and enter every time, you can insert the YubiKey, enter in the PIN to unlock, and then remove the key when done.

My main issue now is key management. I’m still experimenting with how to update my subkeys’ expiration times.

Random Notes

Lock-out

For functionality that requires a PIN, you can control how many wrong PINs it takes before blocking the device. You actually have 2 PINs to remember. One is the normal PIN used for daily use. The other is the PUK (Personal Unlocking Key) which unlocks the PIN if the wrong PIN was entered too many times.

If you want to reset your device, you may need to force your PIN and PUK to both be blocked, and then you can perform a device reset.

Different PINs for Different Functions

You may find the official OpenPGP documentation from Yubico helpful, but what I really needed was their Reset OpenPGP applet instructions. I managed to lock my YubiKey because I did not understand that each functionality of the key has unique PINs.

For instance, using their PIV Tool, you need to set a PIN to be able to log in to macOS using the YubiKey. However, it is not the same PIN that the OpenPGP applet uses. So be careful to remember the default PINs (123456 for normal entry and 12345678 for admin) when doing the initial setup for each functionality and to change them.

Their forum also has posts explaining how to reset the OpenPGP applet and other helpful advice.

Here’s my list of new things that I would like to see at WWDC 2016:

Software

  • Siri 3rd party integration
  • Remote view controllers
  • Split view with multiple views of the same app (e.g. 2 Safari instances) in iOS

Hardware

  • Separate Apple 4K/5K Display
  • Re-assign what the buttons on the Apple Watch do
  • HomeKit device similar to Amazon Echo / Google Home

Services

  • Street view for Maps
  • A way to download or at least queue apps for download from the web. If someone runs across a news article for an app, s/he can click on a link to download the app to their device. Google’s Play Store has had this feature for years. For Apple TV in particular.
  • Upgrade pricing for major product updates for apps

If you have a continuous integration server, you might want to build your app with unique version numbers tied to the build.

The agvtool (Apple-generic versioning tool for Xcode projects) is an easy way to update the marketing and build version number within your app.

In your CI system, you can run something like the following to add a build version number where the major version is the same but the .jenkins.$BUILD_NUMBER is appended. $BUILD_NUMBER is provided by Jenkins.

MARKETING_VERSION=$(agvtool what-marketing-version -terse1); agvtool new-version -all $MARKETING_VERSION.jenkins.$BUILD_NUMBER