Background

Google Apps has the capability for 2 step verification. This is implemented using the OATH TOTP protocol. This protocol relies on using the current time as the input to a cryptographic hash (HMAC-SHA1). Google’s 2 step verification is available for the free Gmail product as well as the paid for Google Apps products.

The YubiKey has no battery, so it cannot track the current time. This limits the YubiKey from directly supporting the OATH TOTP protocol used with Gmail. However, the version 2.2 (or later) YubiKey does support the HMAC-SHA1 hash implemented in the challenge/response functionality.

Therefore, to create a TOTP response using the YubiKey, Yubico has developed a small application which sends the current time to the YubiKey set-up for HMAC-SHA1 challenge/response. The application sends the current time in the OATH-TOTP format and receives back the 160 bit HMAC-SHA1 hash.  This is then processed as per the OATH-TOTP spec to produce either a 6 or 8 digit number.

Required

How to enable YubiKey + Gmail for Windows

Implement YubiKey with Gmail, step by step guide [pdf]

Yubico has developed a small “sidekick” application for Windows that loads an icon in your System Tray. This program is designed to send a challenge to the YubiKey and process the response (a HMAC-SHA1 160 bit hash) to produce the OATH-TOTP 6 or 8 digit response.

To make this work, you need to get the OATH-TOTP secret from your gmail account settings. This is then loaded into the YubiKey using the YubiTOTP Application.

The program is designed to paste the result into the current window. So when Google mail asks for a verification code, double click the Yubico icon in the system tray and the program sends the current time as a challenge to the YubiKey and pastes the result into the current window.