The YubiKey is a popular hardware security key device that supports modern 2FA, MFA, OTP, and Passwordless authentication setups. Most models also support the use of a “Static Password”. This feature takes a user-defined key sequence and types it on the system when the device is pressed. Since it is sending standard keyboard codes, this feature is compatible with almost any system capable of accepting a USB keyboard.
If we set our static password to “NN33niugtdnbblhjllctlndfljduijcebretnbjdfiueiijbftjlnkdecluvhfuf“, then pushing the YubiKey would have the same result as plugging in a keyboard and typing out (rather quickly) the same sequence of characters.
A very important thing to understand upfront is that Static passwords are not recommended on their own. If your YubiKey were to fall into the wrong hands, a bad actor could easily have your YubiKey type out the static password. As well, if we want to use it for multiple systems, we would not want to commit the great security sin of using the same password in more than one place. As a result this feature is generally used as only part of the complete password. You would type a portion of your password, something you could remember easily, and use the YubiKey to inject the remainder at the start, end or middle to lengthen and augment the overall password:
So where do I use this? With popular operating systems on desktop, server and mobile devices supporting modern authentication setups, I have only found two critical use cases in my day to day where I use this feature:
On two work related laptops I used to have, one Windows, one MacOS, they were both set to standard username and password authentication. Neither had thumbprint scanners, or were allowed to use any kind of facial recognition. Since my work at the time required me to regularly travel between countries and offices, as well as attending conferences, I wanted to make sure I had a strong password at all times to login to my laptops and VPN.
Password to unlock Keyring
Once logged in, I could make use of my third party password manager and ssh keyring to authenticate myself to other systems. However these required a password to unlock, and having a weak password protecting your password manager / keyring seems like a pretty terrible idea, so using a password augmented by my YubiKey gave me added peace of mind.
So if you find yourself in a situation where all you have is username and password at your disposal, then Static Passwords can be a very convenient way to add additional security. Just remember, if the system you’re using does support / provide any stronger method of authentication you really should be using that instead.
For more information about the Static Password feature for YubiKey check out https://support.yubico.com/hc/en-us/articles/360016614980-Understanding-Core-Static-Password-Features.