ravron · May 5, 2025 15:25 · Jun 28, 2021 · Jun 28, 2021 · Jun 28, 2021 · Jun 28, 2021
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-Tired of spamming Yubikey one-time-password (OTP) codes into Slack? Here are two options to help prevent that. You can do either or both. Both require `ykman`, the Yubikey CLI configuration manager. Get it with Homebrew:
+Tired of spamming Yubikey one-time password (OTP) codes into Slack? Here are two options to help prevent that. You can do either or both. Both require `ykman`, the Yubikey CLI configuration manager. Get it with Homebrew:
 
 ```
 brew install ykman

diff --git a/README.md b/README.md
@@ -71,6 +71,6 @@ A Yubikey OTP is a encryption-based OTP, similar to [HOTP](https://en.wikipedia.
 In short, when you send a Yubikey OTP to others, you may be reducing the security of the accounts it protects. 
 
 ## References
-https://support.yubico.com/support/solutions/articles/15000006461-swapping-yubico-otp-from-slot-1-to-slot-2
-https://github.com/Yubico/yubikey-manager
-https://developers.yubico.com/OTP/OTPs_Explained.html
+* https://support.yubico.com/support/solutions/articles/15000006461-swapping-yubico-otp-from-slot-1-to-slot-2
+* https://github.com/Yubico/yubikey-manager
+* https://developers.yubico.com/OTP/OTPs_Explained.html
diff --git a/README.md b/README.md
@@ -64,7 +64,7 @@ Download and install the [YubiKey Manager tool](https://www.yubico.com/support/d
 
 ## What's the big deal with Yubikey codes?
 
-Besides being somewhat annoying and confusing to the people on the receiving end of accidental Yubikey OTP codes, there's also a security concern. A Yubikey OTP is often accepted as a second authentication factor for secure services, in the same way an SMS OTP might be. Accidentally sending your Yubikey OTP to others is a lot like accidentally forwarding one of those six-digit SMS codes to others. In fact, it's worse!
+Besides being somewhat annoying and confusing to the people on the receiving end of accidental Yubikey OTP codes, they also represent a security concern. A Yubikey OTP is often accepted as a second authentication factor for secure services, in the same way an SMS OTP might be. Accidentally sending your Yubikey OTP to others is a lot like accidentally forwarding one of those six-digit SMS codes to others. In fact, it's worse!
 
 A Yubikey OTP is a encryption-based OTP, similar to [HOTP](https://en.wikipedia.org/wiki/HMAC-based_one-time_password). Unlike SMS or email OTPs, which typically expire after a short period, Yubikey OTPs are valid until they, or a later generated code, are used for authentication. Until then, your authentication is vulnerable to a buffered replay attack, where someone uses your accidentally-sent code to log in as you, in combination with stolen credentials. 
 

diff --git a/README.md b/README.md
@@ -66,7 +66,9 @@ Download and install the [YubiKey Manager tool](https://www.yubico.com/support/d
 
 Besides being somewhat annoying and confusing to the people on the receiving end of accidental Yubikey OTP codes, there's also a security concern. A Yubikey OTP is often accepted as a second authentication factor for secure services, in the same way an SMS OTP might be. Accidentally sending your Yubikey OTP to others is a lot like accidentally forwarding one of those six-digit SMS codes to others. In fact, it's worse!
 
-A Yubikey OTP is a hash-based OTP, or HOTP. Unlike SMS or email OTPs, which typically expire after a short period, HOTPs are valid until they, or a later generated code, are used for authentication. In other words, when you send a Yubikey OTP to others, you may be reducing the security of the accounts it protects. 
+A Yubikey OTP is a encryption-based OTP, similar to [HOTP](https://en.wikipedia.org/wiki/HMAC-based_one-time_password). Unlike SMS or email OTPs, which typically expire after a short period, Yubikey OTPs are valid until they, or a later generated code, are used for authentication. Until then, your authentication is vulnerable to a buffered replay attack, where someone uses your accidentally-sent code to log in as you, in combination with stolen credentials. 
+
+In short, when you send a Yubikey OTP to others, you may be reducing the security of the accounts it protects. 
 
 ## References
 https://support.yubico.com/support/solutions/articles/15000006461-swapping-yubico-otp-from-slot-1-to-slot-2

diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-Tired of spamming Yubikey OTP codes into Slack? Here are two options to help prevent that. You can do either or both. Both require `ykman`, the Yubikey CLI configuration manager. Get it with Homebrew:
+Tired of spamming Yubikey one-time-password (OTP) codes into Slack? Here are two options to help prevent that. You can do either or both. Both require `ykman`, the Yubikey CLI configuration manager. Get it with Homebrew:
 
 ```
 brew install ykman
@@ -7,6 +7,7 @@ brew install ykman
 *If you…* 
 * …don't have Homebrew? [Install it](https://brew.sh/), then run the command above
 * …don't feel comfortable running terminal commands? Skip to [the bottom](#if-youre-not-comfortable-running-terminal-commands)
+* …aren't sure what the big deal is? See ["What's the big deal with Yubikey codes?"](#whats-the-big-deal-with-yubikey-codes) below
 
 ## Disable sending `<Enter>`
 
@@ -61,6 +62,13 @@ Download and install the [YubiKey Manager tool](https://www.yubico.com/support/d
 1. Click "Applications," then "OTP"
 1. Click "Swap" to swap the configuration from the short-touch slot, slot 1, to the long touch slot, slot 2
 
+## What's the big deal with Yubikey codes?
+
+Besides being somewhat annoying and confusing to the people on the receiving end of accidental Yubikey OTP codes, there's also a security concern. A Yubikey OTP is often accepted as a second authentication factor for secure services, in the same way an SMS OTP might be. Accidentally sending your Yubikey OTP to others is a lot like accidentally forwarding one of those six-digit SMS codes to others. In fact, it's worse!
+
+A Yubikey OTP is a hash-based OTP, or HOTP. Unlike SMS or email OTPs, which typically expire after a short period, HOTPs are valid until they, or a later generated code, are used for authentication. In other words, when you send a Yubikey OTP to others, you may be reducing the security of the accounts it protects. 
+
 ## References
 https://support.yubico.com/support/solutions/articles/15000006461-swapping-yubico-otp-from-slot-1-to-slot-2
-https://github.com/Yubico/yubikey-manager
+https://github.com/Yubico/yubikey-manager
+https://developers.yubico.com/OTP/OTPs_Explained.html
diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@ brew install ykman
 ```
 
 *If you…* 
-* …don't have Homebrew? [Install it](https://brew.sh/), then run the command above.
+* …don't have Homebrew? [Install it](https://brew.sh/), then run the command above
 * …don't feel comfortable running terminal commands? Skip to [the bottom](#if-youre-not-comfortable-running-terminal-commands)
 
 ## Disable sending `<Enter>`

diff --git a/README.md b/README.md
@@ -4,7 +4,9 @@ Tired of spamming Yubikey OTP codes into Slack? Here are two options to help pre
 brew install ykman
 ```
 
-Don't have Homebrew? [Install it](https://brew.sh/), then run the command above.
+*If you…* 
+* …don't have Homebrew? [Install it](https://brew.sh/), then run the command above.
+* …don't feel comfortable running terminal commands? Skip to [the bottom](#if-youre-not-comfortable-running-terminal-commands)
 
 ## Disable sending `<Enter>`
 
@@ -49,6 +51,16 @@ OSError: Failed to open device for communication: -536870174
 
 you're likely running afoul of those protections. Add your terminal emulator (e.g. Terminal.app or iTerm.app) to the list of apps in Security & Privacy > Input Monitoring and try again.
 
+## If you're not comfortable running terminal commands
+
+You can't disable the `<Enter>` keypress, but you can still add an OTP triggering delay as described [above](#add-an-otp-triggering-delay). 
+
+Download and install the [YubiKey Manager tool](https://www.yubico.com/support/download/yubikey-manager/). Then:
+
+1. Plug in your YubiKey
+1. Click "Applications," then "OTP"
+1. Click "Swap" to swap the configuration from the short-touch slot, slot 1, to the long touch slot, slot 2
+
 ## References
 https://support.yubico.com/support/solutions/articles/15000006461-swapping-yubico-otp-from-slot-1-to-slot-2
 https://github.com/Yubico/yubikey-manager
diff --git a/README.md b/README.md
@@ -41,6 +41,12 @@ On macOS Catalina (10.15) and above, user privacy controls may prevent `ykman` f
 Error: Failed connecting to YubiKey 4 [OTP+FIDO+CCID]. Make sure the application have the required permissions.
 ```
 
+or this:
+
+```text
+OSError: Failed to open device for communication: -536870174
+```
+
 you're likely running afoul of those protections. Add your terminal emulator (e.g. Terminal.app or iTerm.app) to the list of apps in Security & Privacy > Input Monitoring and try again.
 
 ## References

diff --git a/README.md b/README.md
@@ -4,6 +4,8 @@ Tired of spamming Yubikey OTP codes into Slack? Here are two options to help pre
 brew install ykman
 ```
 
+Don't have Homebrew? [Install it](https://brew.sh/), then run the command above.
+
 ## Disable sending `<Enter>`
 
 By default, Yubikeys send the `<Enter>` character after sending the modhex code. You may disable this behavior. First, confirm which slot you have programmed:

diff --git a/README.md b/README.md
@@ -31,6 +31,16 @@ $ ykman otp swap
 
 This is usually suitable when you use the OTP function of your Yubikey only rarely — if you use it often, the longer delay may be irritating.
 
+## Troubleshooting
+
+On macOS Catalina (10.15) and above, user privacy controls may prevent `ykman` from functioning. If you see something like this:
+
+```text
+Error: Failed connecting to YubiKey 4 [OTP+FIDO+CCID]. Make sure the application have the required permissions.
+```
+
+you're likely running afoul of those protections. Add your terminal emulator (e.g. Terminal.app or iTerm.app) to the list of apps in Security & Privacy > Input Monitoring and try again.
+
 ## References
 https://support.yubico.com/support/solutions/articles/15000006461-swapping-yubico-otp-from-slot-1-to-slot-2
 https://github.com/Yubico/yubikey-manager
diff --git a/README.md b/README.md
@@ -33,8 +33,4 @@ This is usually suitable when you use the OTP function of your Yubikey only rare
 
 ## References
 https://support.yubico.com/support/solutions/articles/15000006461-swapping-yubico-otp-from-slot-1-to-slot-2
-https://github.com/Yubico/yubikey-manager
-
-<details>
-  <summary>Details test</summary>
-</details>
+https://github.com/Yubico/yubikey-manager
diff --git a/README.md b/README.md
@@ -14,6 +14,7 @@ YubiKey 4
 Slot 1: programmed
 Slot 2: empty
 ```
+
 In this case, slot 1 is programmed. Configure the programmed slot not to send enter:
 
 ```shell
@@ -27,8 +28,13 @@ Yubikeys have two OTP slots. The device uses the duration of the touch to determ
 ```shell
 $ ykman otp swap
 ```
+
 This is usually suitable when you use the OTP function of your Yubikey only rarely — if you use it often, the longer delay may be irritating.
 
 ## References
 https://support.yubico.com/support/solutions/articles/15000006461-swapping-yubico-otp-from-slot-1-to-slot-2
-https://github.com/Yubico/yubikey-manager
+https://github.com/Yubico/yubikey-manager
+
+<details>
+  <summary>Details test</summary>
+</details>
diff --git a/README.md b/README.md
@@ -0,0 +1,34 @@
+Tired of spamming Yubikey OTP codes into Slack? Here are two options to help prevent that. You can do either or both. Both require `ykman`, the Yubikey CLI configuration manager. Get it with Homebrew:
+
+```
+brew install ykman
+```
+
+## Disable sending `<Enter>`
+
+By default, Yubikeys send the `<Enter>` character after sending the modhex code. You may disable this behavior. First, confirm which slot you have programmed:
+
+```shell
+$ ykman otp info
+YubiKey 4
+Slot 1: programmed
+Slot 2: empty
+```
+In this case, slot 1 is programmed. Configure the programmed slot not to send enter:
+
+```shell
+$ ykman otp settings --no-enter 1
+```
+
+## Add an OTP triggering delay
+
+Yubikeys have two OTP slots. The device uses the duration of the touch to determine which slot to use to emit a code: slot 1 requires about a half-second touch, and slot 2 requires about a two-second touch. By default, OTP is written to slot 1, meaning it's easy to trigger accidentally. You may swap the configurations in the slots, which usually means moving the configuration progammed in slot 1 to slot 2, leaving slot 1 empty:
+
+```shell
+$ ykman otp swap
+```
+This is usually suitable when you use the OTP function of your Yubikey only rarely — if you use it often, the longer delay may be irritating.
+
+## References
+https://support.yubico.com/support/solutions/articles/15000006461-swapping-yubico-otp-from-slot-1-to-slot-2
+https://github.com/Yubico/yubikey-manager