Skip to content

Instantly share code, notes, and snippets.

@ravron

ravron/README.md

Last active May 5, 2025 15:25
Show Gist options
  • Save ravron/d1b2e519bfabb0e853aec26fda52f59d to your computer and use it in GitHub Desktop.
Save ravron/d1b2e519bfabb0e853aec26fda52f59d to your computer and use it in GitHub Desktop.
Download ZIP
Options to prevent accidental Yubikey OTP triggering
Raw
README.md

Tired of spamming Yubikey OTP codes into Slack? Here are two options to help prevent that. You can do either or both. Both require ykman, the Yubikey CLI configuration manager. Get it with Homebrew:

brew install ykman

Disable sending <Enter>

By default, Yubikeys send the <Enter> character after sending the modhex code. You may disable this behavior. First, confirm which slot you have programmed:

$ ykman otp info
YubiKey 4
Slot 1: programmed
Slot 2: empty

In this case, slot 1 is programmed. Configure the programmed slot not to send enter:

$ ykman otp settings --no-enter 1

Add an OTP triggering delay

Yubikeys have two OTP slots. The device uses the duration of the touch to determine which slot to use to emit a code: slot 1 requires about a half-second touch, and slot 2 requires about a two-second touch. By default, OTP is written to slot 1, meaning it's easy to trigger accidentally. You may swap the configurations in the slots, which usually means moving the configuration progammed in slot 1 to slot 2, leaving slot 1 empty:

$ ykman otp swap

This is usually suitable when you use the OTP function of your Yubikey only rarely — if you use it often, the longer delay may be irritating.

References

https://support.yubico.com/support/solutions/articles/15000006461-swapping-yubico-otp-from-slot-1-to-slot-2 https://github.com/Yubico/yubikey-manager

@appleton
Copy link

Also https://github.com/pallotron/yubiswitch

@thegreyd
Copy link

This might be useful to someone. I encountered "Failed writing to the Yubikey. Check if device has restricted access" and after stumbling around ykman, ykpersonalize and GUI I couldn't modify the slot config and kept getting the same error. I had originally used ykpersonalize to setup the yubikey, I rewrote the slot but this time using the flag "-oallow-update". Then I was able to use ykman to disable/enable "Enter". I found it more useful to have "Enter" configured, but toggle the device itself using the command "ykman config usb --<disable/enable> otp".

@ravron
Copy link
Author

ravron commented Dec 24, 2020

Thanks, @thegreyd!

@andiwils
Copy link

andiwils commented May 2, 2023

This worked like a charm after spamming my colleagues with random modhex code. Thank you!

@jonyen
Copy link

jonyen commented Feb 12, 2024
edited
Loading

Thank you @thegreyd ! I wrote a little script so that I can just type yk in the command line to toggle it on/off. The yubikey itself has a little green LED, so I can look at that to check if it's on.

#!/bin/zsh

# put this script under /usr/local/bin/yk, or wherever your working path is

# prints out information about whether the yubikey is on/off
info=$(ykman info 2>/dev/null)

# Look for "Yubico OTP Enabled", then toggle the value
if grep -q "Yubico OTP\s*Enabled" <<< "$info"; then
   # use -f to forcefully change the setting without having to do an additional prompt
   ykman config usb -f -d otp > /dev/null 2>&1
   echo "\e[31mYubico OTP has been disabled.\e[0m\n"
else
   ykman config usb -f -e otp > /dev/null 2>&1
   echo "\e[32mYubico OTP has been enabled.\e[0m\n"
fi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment