The Wonderful World of Yubikey: TOTP

As mentioned in the previous entry, the U2F/FIDO2 capability of Yubikey is only as awesome as it is available. Your Yubikey can also handle a less convenient but more available 2FA method known at TOTP (Time-based One Time Password).

What is it and how does it work?

This is the 2FA method where you download a separate app on your phone or desktop and scan QR codes. The app then generates a shifting series of 6 digit codes that act as your second factor of authentication.

The QR code you scan is actually just a representation of a "seed". This seed is fed in to an open source algorithm that uses that seed to "kickstart" the code generation process. Because the server also knows what seed you started with, it knows what code to expect at any given time.

TOTP has seen greater adoption than Yubikey because almost everyone has a mobile phone. So to ask a user to "download an app on your phone and scan this QR code" is a much easier sell than "go purchase this separate piece of hardware".

Sounds great! What's the downside?

Compared to Yubikey's default functionality, TOTP codes require a few more steps to take advantage of. You have to rely on a separate piece of software to generate this second factor of authentication.

Similar to the backup discussion from the previous article, TOTP also requires some kind of backup strategy. Maybe you scan the same code on multiple devices and/or you save the initial seed in an encrypted container. You could print the QR codes out and store in a safe place. Maybe you rely on a cloud based TOTP solution.

How does Yubikey fit in to all this?

Yubikey can provide a safe and portable (not cloud based) TOTP solution. In the description above, an app on your phone contains the secret seed value that kick starts the whole process and is constantly keeping track of what the codes are supposed to be. Yubico Authenticator flips this model.

You're able to store your seed values on your Yubikey instead of in an app. You can then plug in to any device that has the Yubico Authenticator app to access those seeds to get your TOTP code. Your Yubikey is password protected and your secret seeds are never exposed to the machine you are using plus you get the benefit of portability while not relying on a cloud service.

Cool. So what's the catch?

As previously mentioned, you need to have a backup solution in place. In the previous article the solution was to register multiple Yubikeys to the same account. To achieve similar redundancy with TOTP you will have to add your secret seed to multiple keys. This can be time consuming but ultimately worth the piece of mind it brings.

I also recommend backing up all of your seed values in an encrypted container. If for some reason you lose access to all your TOTP (either Yubikey or some other app) you would be able to rebuild using these seeds.

Also, at the time of this post, the Yubikey 5 series is limited to 32 TOTP seeds per key. This could be a hindrance depending on how many accounts you've secured with TOTP.

Pro Tip: If you are already using your Yubikey as U2F/FIDO2 on a site/platform then don't save that TOTP secret to your Yubikey. Instead set it up as a 2FA option and save the seed somewhere secure. This way you've created a backup plan but aren't using up the limited space your Yubikey provides.

Cool talk. So what else can my Yubikey do?

In short. All of the things. Stay tuned for an exploration of Yubikey's integration with GPG keys, SSH authentication and Smart Card Capabilites.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.