Yubico Team

Changes to the YubiKey VIP

We’ve made some changes to the YubiKey VIP! Previously, the YubiKey VIP came with a Symantec VIP credential used with services that support the Symantec VIP second factor authentication. If you wanted to use the YubiKey with a YubiCloud service (such as LastPass) you would need to add a YubiCloud credential to the YubiKey VIP.

With the release of the v2.3 firmware for the YubiKey, we have decided to add a “dormant” YubiCloud config to the second slot. You can use the cross platform personalization tool to activate it – indeed, you can also swap the configs so your YubiCloud credential is in slot 1 and your VIP is in slot 2!

To help prevent making mistakes, we have password protected both YubiKey configuration slots. You will need to enter the configuration Access Code to make changes (such as swapping, or making the configuration active or dormant). Just enter the serial number of the YubiKey VIP in as the Access code – as it appears lasered on the YubiKey. As with other versions of the YubiKey, you can change the configuration passwords – but be aware there is no way to reset the password should it be lost or forgotten!

2 responses to “Changes to the YubiKey VIP”

  1. Frank says:

    I have just programmed the second slot to use with Passsafe. After that, I can no longer log into PayPal website. However, when I logged into PayPal without Yubikey, I first deactivated 2 factor authentication then I reactivated it. It started working again. How could this happened? I am just wondering if there’s a way to check if the VIP slot is still valid. It looks like the Passsafe is using the slot 1, even though I configured it to use slot 2, as I only need to press the key briefly. I thought if I am using the slot 2 for Passsafe, I should have press and hold for over 5 seconds.

    Happy holidays!

  2. Hello Frank!

    I assume when you say Passsafe, you’re referring to the Password Safe application – is this correct?

    Password Safe uses a Challenge-Response authentication for logging in with the YubiKey – the app send the YubiKey a one-use phrase, which the YubiKey modifies with a secret key shared between the YubiKey and the Password Safe Application. Once the YubiKey has modified the challenge, it is sent back to the application as a response.

    One option with Challenge-Response is the need for user input – a button press. When the YubiKey receives the challenge from the app, it starts looking for any button press, bypassing the standard slot 1 activation. That’s why a short button press works even when the Challenge-Response is configured in slot 2. When the YubiKey has not received a challenge, it should work normally.

    For the VIP credential, it is possible for the YubiKey to get out of sync with the VIP Authentication server. You can re-sync your YubiKey here: https://idprotect.verisign.com/resethome.v
    Remember, your YubiKey VIP Credential ID is “UBHE” followed by the 8 digit serial number on the back of the key, with 0’s added at the front if you don’t have 8 digits. So if your serial number is “123456″, the Credential ID is “UBHE00123456″.

    Hope this helps!
    -David Maples
    Yubico Technical Support