I recently obtained YubiKeys from Yubico. It's a USB hardware token able to act as a keyboard device to input characters (a HID) and also has a little button. It supports different modes:
- Yubico OTP Mode: Yubico implementation + server
- OATH-HOTP Mode: standard HOTP as per RFC 4226
- Static Password Mode: output the same static string
- Challenge Response Mode: no HID, software challenges the token and gets a response
Two-factor authenticationThe typical use of this token is two-factor authentication. For instance the YubiKey is configured in OTP mode and when your authentication service asks you for OTP, you plug the device on USB, press the button and it inputs the OTP for you (HID, acting as a keyboard).
ConfigurationThey offer a cross-platform (Windows, Mac and Linux) personalization tool (user guide). Quick way to start playing with the device.
HackingThis is the best part, Yubico products are well documented and there are various open source software and libraries in various languages (either by Yubico or third party):
- yubikey-python: server library
- YubiServe: Python OATH-HOTP validation server
- yubico-c-client: C client library
- yubikey-personalization: tool (in C) to personalize YubiKey from command-line
- yubico-pam: PAM server module, and another
- python-yubico: library to talk to YubiKeys <= must!
- and more.