I’ve had a couple of YubiKey devices for U2F auth for a while now. They are much easier to use than digging out your two-factor authenticator app.
Recently, I purchased a YubiKey 4. The major feature addition to me is the support for OpenPGP to make it easier to use OpenPGP subkeys to sign data, encrypt data, and authenticate.
The feature list for YubiKey 4 is long, but after some usage, it is like there are many separated and different functions all in one physical package.
How-To Setup and Use
So far the best OpenPGP guide with YubiKey 4 has been Suvash Thapaliya’s thorough step-by-step guide.
The OpenPGP functionality works well. Instead of a long password to remember and enter every time, you can insert the YubiKey, enter in the PIN to unlock, and then remove the key when done.
My main issue now is key management. I’m still experimenting with how to update my subkeys' expiration times.
Random Notes
Lock-out
For functionality that requires a PIN, you can control how many wrong PINs it
takes before blocking the device. You actually have 2 PINs to remember. One is
the normal PIN used for daily use. The other is the PUK (Personal
Unlocking Key) which unlocks the PIN if the wrong PIN was entered
too many times.
If you want to reset your device, you may need to force your PIN and PUK to
both be blocked, and then you can perform a device reset.
Different PINs for Different Functions
You may find the official OpenPGP documentation from Yubico helpful, but what I really needed was their Reset OpenPGP applet instructions. I managed to lock my YubiKey because I did not understand that each functionality of the key has unique PINs.
For instance, using their PIV Tool,
you need to set a PIN to be able to log in to macOS using the YubiKey. However,
it is not the same PIN that the OpenPGP applet uses. So be careful to remember
the default PINs (123456 for normal entry and 12345678 for admin) when doing
the initial setup for each functionality and to change them.
Their forum also has posts explaining how to reset the OpenPGP applet and other helpful advice.