As of july 31st 2023 this guide is deprecated! There are issues with MacOS where the yubikey isn’t recognised or where MacOS keeps asking for the Yubikey even after removing the profile. In the worst case this requires a complete reinstall of MacOS.
February 2nd is World 2FA day so I thought it would be fun to write a short guide about how to add a Yubikey Security Key as a second factor (2FA) to sign-in to your MacBook. This guide is intended for unmanaged devices. Devices managed in Active Directory by a company require a different configuration. For those unfamiliar with the Yubikey, here’s an excerpt from their website:
The YubiKey is hardware authentication reimagined. Secure the identities of your employees and users, reduce support costs, and experience an unmatched user experience.
First things first, why would you want Multi-Factor Authentication (MFA)? Well, everyone has sensitive data to protect and just using a password nowadays is considered pretty weak; they can be guessed, cracked or leaked in a data breach for example. Therefore, as the amazing people at NIST explain:
It is necessary to add more layers of authentication beyond a password to ensure that accounts remain secured. These additional layers lead to the term of ‘multi-factor authentication’ or MFA and can include three elements:
- things you know — such as a password or other personally-known information such as the answers to security questions
- things you have — such as an id badge with an embedded chip, or a digital code generator
- things you are — such as physical traits like your fingerprints or voice
MFA utilizes factors from multiple of these elements to prove users’ identities. For example, in addition to entering a password, a user may be required to provide a code that was sent to their phone or email account.
So besides using your fingerprint or password to sign-in to MacOS, both being just one layer, we also want an additional layer of protection. Which in this case is something you have: a Yubikey.
For this to properly work, you’re going to need two Yubikeys; one for daily use and one as a back-up if you lose or damage your main Yubikey. While you’re at it, make sure you have FileVault enabled. No use in adding a Yubikey if your harddrive is unencrypted.
Most of this guide is based on the Yubikey guide for MacOS and is pretty easy to follow. However, if you want to enforce signing in to your MacBook with a Yubikey, you will need a custom profile and change some settings. The official guide also says which Yubikeys will work as a smart card, the feature needed to act as 2FA. Ready to make your MacBook more secure? Let’s go!
Now, before I continue, there’s one major drawback for Apple Sillicon users according to the official Yubico guide:
Each time the computer is shut down, macOS uses the last used smart card to lock the disk with FileVault. In this scenario, only the last smart card used to login will work to unlock the disk upon next startup, effectively making any smart cards set up as backups incapable of unlocking the disk.
You have to decide for yourself if you want to take this risk. For myself, I make a daily Time Machine Backup and almost all my data is synced to a local NAS, so I can be up and running pretty quickly again. Please consider appropriate recovery options for the slim chance you’re unable unlock your Mac.
Ok, now that we’ve got that out of the way, you’re going to download the Yubikey Manager for MacOS. From here, we’re going to follow the instructions on the Yubico site:
Connect your Yubikey to your MacBook, open the Yubikey Manager and follow these steps:
- Setup a new PIN;
- Setup a new PUK;
- Setup a new Management Key.
Make sure you store those somewhere safe, like in a password manager!
Next, click on “setup for MacOS”, like in the screenshot above. You will get a notifcation to pair your key:
In the next windows, enter the PIN and Management Key you just created and follow the instructions. When you’re done, lock the screen and check if you can use your PIN to login. If it’s succesful, repeat the steps above for the back-up key.
If everything is working OK, we’re now going to enforce signing in with our Yubikey as a Smart Card. For this, we need to import a profile with the correct setting to our MacBook. Open your favourite text-editor, like Sublime and paste the following (this example comes from the Apple Support site):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures smart card-only</string>
<key>PayloadDisplayName</key>
<string>Smart card-only</string>
<key>PayloadIdentifier</key>
<string>com.apple.configprofile.78.</string>
<key>PayloadOrganization</key>
<string>Apple</string>
<key>PayloadType</key>
<string>com.apple.security.smartcard</string>
<key>PayloadUUID</key>
<string>5A15247B-899C-474D-B1D7-DBD82BDE5678</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserPairing</key>
<false/>
<key>allowSmartCard</key>
<true/>
<key>checkCertificateTrust</key>
<false/>
<key>enforceSmartCard</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>Smartcard profile.</string>
<key>PayloadDisplayName</key>
<string>Smart card-only</string>
<key>PayloadIdentifier</key>
<string>com.apple.configprofile.77</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadScope</key>
<string>system</string>
<key>PayloadUUID</key>
<string>7D34CC86-C707-44D2-9A9F-C5F6E347BD77</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Save the file with an appropriate name with the mobileconfig extension. For example: smartcard_only.mobileconfig. Next, go to System Settings → Privacy & Security → Profiles. Press the plus sign and import the profile.
You can also go to the file location and just double-click the profile. Finally, sign-out, remove your Yubikey and check if you’re able to login without it. That should not work. Now, re-connect your Yubikey and try again. Does it work? Great! You know what would be nice though? That your screen locks and immediately requires a PIN when you remove the Yubikey. Let’s make it happen.
Go back to the Security & Privacy Settings and click Advanced. Toggle Turn on screen saver when login token is removed.
Next, go to Lock Screen in System Settings and change Require password after screen saver begins or display is turned off to Immediately.
Changing this setting might require you to sign-out or reboot to work. And That’s it! I know using 2FA might seem like a minor inconvenience, but it will help in protecting your MacBook should someone gain unauthorised acces to it.
