Using the YubiKey with Gmail 2 step verification
Background
Google's Mail product has the capability for 2 step verification (see here). This is implemented using the OATH TOTP protocol. This protocol relies on using the current time as an input to a cryptographic hash (HMAC-SHA1).
Note: this includes the free Gmail product as well as the paid for Google Apps products.
Even though the YubiKey has no battery, so it cannot maintain current time, and the fact that the YubiKey does not support directly the OATH TOTP protocol it can be used together with Gmail as a version 2.2 (or later) YubiKey does support the HMAC-SHA1 hash implemented in the challenge/response functionality.
Therefore, it is possible to create a TOTP response using the YubiKey and an application which sends the current time to the YubiKey set-up for HMAC-SHA1 challenge/response. The application sends the current time in the OATH-TOTP format and receives back the 160 bit HMAC-SHA1 hash. This is then processed as per the OATH-TOTP spec to produce either a 6 or 8 digit number.
How to create a YubiTOTP for Windows
Yubico has developed a small "sidekick" application for Windows that loads an icon in your System Tray. Download here. This program is designed to send a challenge to the YubiKey and process the response (a HMAC-SHA1 160 bit hash) to produce the OATH-TOTP 6 or 8 digit response.
To make this work, you need to get the OATH-TOTP secret from your gmail account settings. This is then loaded into the YubiKey using the YubiKey Personalization Tool.
The progam is designed to paste the result into the current window. So when Google mail asks for a verification code, double click the Yubico icon in the system tray and the program sends the current time as a challenge to the YubiKey and pastes the result into the current window.
Check out the video below for a demonstration, or click here. You will need to convert the BASE32 secret from Google to HEX. This spreadsheet can do the conversation for you.
Links to get started
» Buy a YubiKey online
» Implement YubiKey with Gmail, step by step guide [pdf]
» How to implement YubiKey with Gmail [Video]
» Application for Windows [Free Download]
» Spreadsheet for converting the BASE32 secret from Google to HEX [Free Download]
Demonstration of how to use the YubiKey with Gmail
How to create a YubiTOTP for Linux
Yubico provides a simple OATH TOTP code generator for Linux in it's
python-yubico package. Follow the installation instructions below and then try util/yubikey-totp.
Additional reading: Third party developers figured out a way to generate OATH TOTP codes using the ykchalresp(1) utility in the yubikey-personalization package. See their blog post below.
» Blog post: YubiTOTP for Linux [Binaryelysium.com]
How to use YubiKey with Gmail on Mac OSX
zetetic.net offers a software, OneTime, for Gmail two-factor authentication and OATH one-time passwords on Mac OS X with a YubiKey
» Learn more about OneTime
» github: Source code
