I’ve had a couple of YubiKey devices for U2F auth for a while now. They are much
easier to use than digging out your two-factor authenticator app.
Recently, I purchased a YubiKey 4.
The major feature addition to me is the support for OpenPGP
to make it easier to use OpenPGP subkeys to sign data, encrypt data, and
The feature list for YubiKey 4 is long, but after some usage, it is like there
are many separated and different functions all in one physical package.
How-To Setup and Use
So far the best OpenPGP guide with YubiKey 4 has been
Suvash Thapaliya’s thorough step-by-step guide.
The OpenPGP functionality works well. Instead of a long password to
remember and enter every time, you can insert the YubiKey, enter in the PIN
to unlock, and then remove the key when done.
My main issue now is key management. I’m still experimenting with how to
update my subkeys’ expiration times.
For functionality that requires a PIN, you can control how many wrong PINs it
takes before blocking the device. You actually have 2 PINs to remember. One is
the normal PIN used for daily use. The other is the
Unlocking Key) which unlocks the PIN if the wrong PIN was entered
too many times.
If you want to reset your device, you may need to force your PIN and
both be blocked, and then you can perform a device reset.
Different PINs for Different Functions
You may find the official OpenPGP documentation from Yubico
helpful, but what I really needed was their Reset OpenPGP applet
instructions. I managed to lock my YubiKey because I did not understand that
each functionality of the key has unique PINs.
For instance, using their PIV Tool,
you need to set a PIN to be able to log in to macOS using the YubiKey. However,
it is not the same PIN that the OpenPGP applet uses. So be careful to remember
the default PINs (
123456 for normal entry and
12345678 for admin) when doing
the initial setup for each functionality and to change them.
Their forum also has posts explaining
how to reset the OpenPGP applet and other helpful advice.