diff --git a/modules/ROOT/pages/using-yubikeys.adoc b/modules/ROOT/pages/using-yubikeys.adoc index 2f97fd0..b13475f 100644 --- a/modules/ROOT/pages/using-yubikeys.adoc +++ b/modules/ROOT/pages/using-yubikeys.adoc @@ -200,7 +200,7 @@ As part of the OTP, you can specify an internal identifier for your key. This is The -a option, again, is the 32-byte AES key and append-cr appends a carriage return to my key as the last character. -When I hit the key, the ykpersonalize program will present me with my options and ask for +When you hit the key, the ykpersonalize program will present you with my options and ask for confirmation before continuing: ==== @@ -264,7 +264,7 @@ https://www.yubico.com/authentication-standards/fido2/[FIDO2] is an open authent One interesting use case of the FIDO module to note is storing OpenSSH public-key identities, which modern OpenSSH agents can pick up right away and use. This makes ssh keys quite portable. -If your key supports FIDO change it's pin with ykman fido access like this: +If your key supports FIDO change its pin with ykman fido access like this: [source, bash] […]$ ykman piv access change-pin @@ -313,7 +313,7 @@ Generate a public key on every host you intend to use the private key, so an Ope [source, bash] […]$ ssh-keygen -t ed25519-sk -Generate the public key and store it's identity in the FIDO2 module to make the private-public key-pair portable: +Generate the public key and store its identity in the FIDO2 module to make the private-public key-pair portable: [source, bash] […]$ ssh-keygen -t ed25519-sk -O resident -O application=ssh:fedora -O verify-required @@ -325,7 +325,7 @@ So called resident keys require that the private key is protected by a PIN. As of 2019, there is work in place to attempt to standardize using a YubiKey on the web. The new standard is called WebAuthn, and you can learn more about it here: https://www.yubico.com/solutions/webauthn/. For now, the easiest way to see which platforms support the YubiKey is by browsing https://www.yubico.com/works-with-yubikey/catalog/[yubico's catalog]. -As an alternative to Yubico OTP or WebAuthn, which both don't require storage of credentials on the YubiKey by default, you may also use plain old TOTP like employed in most websites today. There are desktop and at least android apps to work with this conveniently. You may store up to 32 TOTP credentials on a YubiKey 5. +As an alternative to Yubico OTP or WebAuthn, neither of which require storage of credentials on the YubiKey by default, you may also use plain old TOTP like employed in most websites today. There are desktop and at least android apps to work with this conveniently. You may store up to 32 TOTP credentials on a YubiKey 5. Install the desktop application from the official repositories: