KeePassXC offers SSH agent support, a similar feature is also available for KeePass using the KeeAgent plugin. I suspect that the yubico personalization tool always sends a 64 byte buffer to the yubikey. To clarify, the YubiKey's OTP application, which is what the YubiKey Personalization Tool interacts with specifically, works essentially like a USB keyboard, which is why Input Monitoring permission is needed. First, configure your Yubikey to use HMAC-SHA1 in slot 2. IIRC you will have to "change your master key" to create a recovery code. Neither yubico's webauth nor bank of americas webauth is working for me at the moment. How user friendly it is depends on. Plug in your YubiKey and start the YubiKey Personalization Tool. NET SDK and the YubiKey support the following encryption and hashing algorithms for challenge-response: Yubico OTP (encryption) HMAC SHA1 as defined in RFC2104 (hashing) For Yubico OTP challenge-response, the key will receive a 6-byte challenge. YubiKey/docs/users-manual/application-otp":{"items":[{"name":"application-concepts-overview. The YubiKey PBA in NixOS currently features two-factor authentication using a (secret) user passphrase and a YubiKey in challenge-response mode. In my experience you can not use YubiChallenge with Keepass2Android - it clashes with its internal Yubikey Neo support, each stealing the NFC focus from the other. This procedure is supported by KeePassXC, Keepass4Android and Strongbox. Update the settings for a slot. HMAC-SHA1 Challenge-Response* PIV; OpenPGP** *Native OTP support excludes HMAC-SHA1 Challenge-Response credentials **The YubiKey's OpenPGP feature can be used over USB or NFC with third-party application OpenKeyChain app, which is available on Google Play. Any key may be used as part of the password (including uppercase letters or other modified characters). You could have CR on the first slot, if you. YubiKey Personalization Tool shows whether your YubiKey supports challenge-response in the lower right. Management - Provides ability to enable or disable available application on YubiKey. e. intent. This does not work with. This library. To enable challenge-response on your Yubikey in slot 2, type the following command: ykman otp chalresp -g 2 This configures slot 2 for challenge-response, and leaves slot 1 alone. Display general status of the YubiKey OTP slots. YubiKey offers a number of personalization tools. 2. If a shorter challenge is used, the buffer is zero padded. 4. OATH. I tried configuring the YubiKey for OTP challenge-response, same problem. Yes you can clone a key, if you are using hmac-sha1, download the yubikey personalisation tool. The SetPassword() method allows you to set the static password to anything of your choosing (up to 38 characters in length). 5 beta 01 and key driver 0. Hence, a database backup can be opened if you also store its XML file (or even any earlier one). The YubiKey class is defined in the device module. Please make sure that you've used the YubiKey personalization tool to configure the key you're trying to use for hmac-sha1 challenge-response in slot 2. . Apps supporting it include e. so and pam_permit. YubiKey firmware 2. U2F. Insert the YubiKey and press its button. NET SDK and the YubiKey support the following encryption and hashing algorithms for challenge-response: 1. To use the YubiKey for multi-factor authentication you need to. Jestem w posiadaniu Yubikey 5 NFC - wersja 5. I didn't think this would make a difference, but IT DOES!) One cannot use the same challenge response setting to open the same database on KeePassXC. Description. U2F. Post navigation. js. More general:Yubico has a dedicated Credential Provider that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. Challenge-response - Provides a method to use HMAC-SHA1 challenge-response. These features are listed below. Test your YubiKey with Yubico OTP. You will then be asked to provide a Secret Key. Open up the Yubikey NEO Manager, insert a YubiKey and hit Change Connection Mode. 4. The YubiKey firmware does not have this translation capability, and the SDK does not include the functionality to configure the key with both the HID and UTF representations of a static password during configuration. Perform a challenge-response operation. the Challenge-Response feature turns out to be a totally different feature than what accounts online uses. Response is read via an API call (rather than by the means of recording keystrokes). Open J-Jamet pinned this issue May 6, 2022. 0" release of KeepassXC. All of these YubiKey options rely on an shared secret key, or in static password mode, a shared static password. During my work on KeePassXC (stay tuned for a post about this in the future), I learned quite a bit about the inner workings of the Yubikey and how its two-factor challenge-response functionality works. Therefore, it is not possible to generate or use any database (. Screenshot_20220516-161611_Chrome 1079×2211 141 KB. In other words, Slot 2 can store a Yubico OTP credential, or a Challenge-Response credential. My device is /dev/sdb2, be sure to update the device to whichever is the. Scan yubikey but fails. x). Real-time challenge-response schemes like U2F address OTP vulnerabilities such as phishing and various forms of man-in-the-middle attacks. In this example we’ll use the YubiKey Personalization Tool on Mac, but the steps will be very similar on other platforms. J-Jamet mentioned this issue Jun 10, 2022. The following method (Challenge-response with HMAC-SHA1) works on Ubuntu with KeePassXC v2. 2. Same problem here with a macbook pro (core i7) and yubikey nano used in challenge response mode both for login and screen unlock. Need help: YubiKey 5 NFC + KeePass2Android. Defaults to client. I've got a KeePassXC database stored in Dropbox. The YubiHSM secures the hardware supply chain by ensuring product part integrity. Check that slot#2 is empty in both key#1 and key#2. I don't see any technical reason why U2F or challenge-response mode would not be suitable for the Enpass. The YubiKey Personalization Tool looks like this when you open it initially. The "3-2-1" backup strategy is a wise one. Also if I test the yubikey in the configuration app I can see that if I click. Apparently Yubico-OTP mode doesn’t work with yubico-pam at the moment. 2. 1 Inserting the YubiKey for the first time (Windows XP) 15. YubiKey 4 Series. It does exactly what it says, which is authentication with a. This means the same device that you use to protect your Microsoft account can be used to protect your password manager, social media accounts, and your logins to hundreds of services. To further simplify for Password Safe users, Yubico offers a pre. GameStop Moderna Pfizer Johnson & Johnson AstraZeneca Walgreens Best Buy Novavax SpaceX Tesla. challenge-response feature of YubiKeys for use by other Android apps. Actual Behavior. conf to make following changes: Change user and group to “root” to provide the root privileges to radiusd daemon so that it can call and use pam modules for authentication. I don't know why I have no problems with it, I just activated 2fa in KeepassXC and was able to unlock my DB on my phone with "Password + Challenge. :)OTP, OATH-HOTP, Challenge-Response, and Static Password) that is loaded in each slot. Edit the radiusd configuration file /etc/raddb/radiusd. Save a copy of the secret key in the process. Please be aware that the current limitation is only for the physical connection. Or will I need a second slot to have Yubico OTP /and/ Challenge Response (ykchalresp) ?? A slot has either a Yubico OTP or a challenge-response credential configured. Generate One-time passwords (OTP) - Yubico's AES based standard. It is better designed security-wise, does not need any additional files, and is supported by all the apps that support YubiKey challenge-response: KeePassXC, KeeWeb, KeePassium, Strongbox, Keepass2Android, KeePassDX, and probably more. This is a similar but different issue like 9339. In other words, Slot 2 can store a Yubico OTP credential, or a Challenge-Response credential. Hey guys, Was hoping to get peoples opinion on the best way to do this, and to see if i have set this up correctly: I have a Yubikey 5 NFC that I have recently configured with KeePass on Windows 10, using the KeeChallenge plugin, in HMAC-SHA1 Challenge-Response mode - (Using this Yubikey Guide and all works great). If you have already setup your Yubikeys for challenge-response, you don’t need to run ykpersonalize again. Use the YubiKey Manager to configure FIDO2, OTP and PIV functionality on your YubiKey on Windows, macOS, and. Single Auth, Step 2: output is the result of verifying the Client Authentication Response. In this video I show you how to use a YubiKey with KeePass for an added layer of security using challenge response in order to be able to open your KeePass d. YubiKey can be used in several modes with KeeWeb: Challenge-response: to provide a hardware-backed component of master key; OATH: for generating one-time codes; Challenge-response. Challenge ResponseかFIDO U2Fかです。Challenge Responseの方を試してないので推測ですが、Challenge Responseはユーザの操作不要、FIDO U2FはYubiKeyに触れるプロセスが必要っぽいです。 それぞれでインストールするモジュールが異なります。私は今回FIDO U2Fを選択します. 4. Problem z uwierzytelnieniem Yubikey 5 poprzez moduł NFC - Android 12. If valid, the Yubico PAM module extracts the OTP string and sends it to the Yubico authentication server or else it. While Advanced unlocking says in its settings menu that it Lets you scan your biometric to open the database or Lets you use your device credential to open the database, it doesn't replace authentication with a hardware token (challenge-response), whereas I expected. This app should be triggered using an implicit intent by any external application wishing to perform challenge-response. md","path. yubico/authorized_yubikeys file that present in the user’s home directory who is trying to assess server through SSH. Encrypting a KeePass Database Enable Challenge/Response on the Yubikey. However, various plugins extend support to Challenge Response and HOTP. Or it could store a Static Password or OATH-HOTP. Send a challenge to a YubiKey, and read the response. The component is not intended as a “stand-alone” utility kit and the provided sample code is provided as boilerplate code only. This just just keepassx/keepassx#52 rebased against keepassxc. 1. OnlyKey supports multiple methods of two-factor authentication including FIDO2 / U2F, Yubikey OTP, TOTP, Challenge-response. One spare and one other. For most configurations, you should be able to use the Applications > OTP menu in YubiKey Manager to. Set "Encryption Algorithm" to AES-256. authfile=file Set the location of the file that holds the mappings of Yubikey token IDs to user names. Manage certificates and PINs for the PIV ApplicationThe Yubico OTP is 44 ModHex characters in length. Perhaps the Yubikey challenge-response (configured on slot 2) cannot be FWD, but reading the drduh guide, it seems possible to access some smartcard functionalities during/on remote. Initial YubiKey Personalization Tool Screen Note that triggering slot 2 requires you to hold the YubiKey's touch sensor for 2+ seconds; slot 1 is triggered by touching it for just 1-2 seconds. In the 19. Next we need to create a place to store your challenge response files, secure those files, and finally create the stored challenge files:Databases created with KeepassXC and secured with password and Yubikey Challenge Response don't trigger the yubichallenge app. This should give us support for other tokens, for example, Trezor One, without using their. The driver module defines the interface for communication with an. Remove YubiKey Challenge-Response; Expected Behavior. A YubiKey with configuration slot 2 available; YubiKey Manager; KeePass version 2 (version should be 2. Any YubiKey that supports OTP can be used. Time based OTPs- extremely popular form of 2fa. Can be used with append mode and the Duo. Serial number of YubiKey (2. HOTP - extremely rare to see this outside of enterprise. ykpass . When unlocking the database ensure you click on the drop down box under "Select master key type" and choose "Password + challenge-response for KeePassXC". You can access these setting in KeepassXC after checking the Advanced Settings box in the bottom left. Debug info: KeePassXC - Version 2. In order to avoid storing the secret in plain text, we generate a challenge-response pair ahead of time. Need it so I can use yubikey challenge response on the phone. websites and apps) you want to protect with your YubiKey. Actual Behavior. 5 Debugging mode is disabled. i read yubikey qith kee passxc is not really a 2af i want more security than just a pw how does using a key file differs from using yubikey challenge tx. You will then be asked to provide a Secret Key. The first 12 characters of a Yubico OTP string represent the public ID of the YubiKey that generated the OTP--this ID remains constant across all OTPs generated by that individual key. However, you must specify the host device's keyboard layout, as that determines which HID usage IDs will. I don't know why I have no problems with it, I just activated 2fa in KeepassXC and was able to unlock my DB on my phone with "Password + Challenge. Additionally, KeeChallenge encrypts the S with the pre-calculated challenge-response pair, and stored the encrypted secret and challenge in the XML file. USB/NFC Interface: CCID PIV. Configure a static password. The YubiKey 5 series can hold up to 32 OATH credentials and supports both OATH-TOTP (time based) and OATH-HOTP. Check Key file / provider: and select Yubikey challenge-response from drop-down. Note. Having a backup YubiKey is one thing (and mandatory IMHO), but having another way in is prudent. exe "C:My DocumentsMyDatabaseWithTwo. Command APDU info P1: Slot P1 indicates both the type of challenge-response algorithm and the slot in which to use. To clarify, the YubiKey's OTP application, which is what the YubiKey Personalization Tool interacts with specifically, works essentially like a USB keyboard, which is why Input Monitoring permission is needed. In this example we’ll use the YubiKey Personalization Tool on Mac, but the steps will be very similar on other platforms. Mode of operation. Note: If this prompt doesn't appear, see the Troubleshooting and Additional Topics section below. This tool can configure a Yubico OTP credential, a static password, a challenge-response credential or an OATH HOTP credential in both of these slots. auth required pam_yubico. so, pam_deny. 6 Challenge-response mode With introduction of the Challenge-Response mode in YubiKey 2. Challenge response uses raw USB transactions to work. 8" or "3. You will be overwriting slot#2 on both keys. The size of the the response buffer is 20 bytes, this is inherent to SHA1 but can by changed by defining RESP_BUF_SIZE. The YubiKey 5 series can hold up to 32 OATH credentials and supports both OATH-TOTP (time based) and OATH-HOTP. Expected Behavior. Send a challenge to a YubiKey, and read the response. If the Yubikey is not plugged then the sufficient condition fails and the rest of the file is executed. MULTI-PROTOCOL SUPPORT: The YubiKey USB authenticator includes NFC and has multi-protocol support including FIDO2, FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, Smart card (PIV), OpenPGP, and Challenge-Response capability to give you strong hardware-based authentication. Remove the YubiKey challenge-response after clicking the button. KeeChallenge works using the HMAC-SHA1 challenge response functionality built into the Yubikey. Manage certificates and PINs for the PIV ApplicationYubiKey in Challenge/Response mode does not require network access in the preboot environment The sections below will walk us through how two-factor authentication using Yubikey in Challenge/Response mode can be implemented to work seamlessly with FDE implementations. You can access these setting in KeepassXC after checking the Advanced Settings box in the bottom left. To use the YubiKey for multi-factor authentication you need to. If I did the same with KeePass 2. 7. SoCleanSoFresh • 4 yr. The YubiKey 5Ci is like the 5 NFC, but for Apple fanboys. Deletes the configuration stored in a slot. Only the response leaves the yubikey; it acts as both an additional hard to guess password, but also key loggers would only be able to use the response to unlock a specific save file. The proof of concept for using the YubiKey to encrypt the entire hard drive on a Linux computer has been developed by Tollef Fog Heen, a long time YubiKey user and Debian package maintainer. This option is only valid for the 2. AppImage version works fine. md to set up the Yubikey challenge response and add it to the encrypted. Note that 1FA, when using this feature, will weaken security as it no longer prompts for the chalenge password and will decrypt the volume with only the Yubikey being present at boot time. The tool works with any YubiKey (except the Security Key). Click OK. SmartCardInterface - Provides low level access to the Yubikey with which you can send custom APDUs to the key. This key is stored in the YubiKey and is used for generating responses. Both. Categories. When you unlock the database: KeeChallenge loads the challenge C from the XML file and sends it to the. so, pam_deny. Perform a challenge-response style operation using either YubicoOTP or HMAC-SHA1 against a configured YubiKey slot. Two YubiKeys with firmware version 2. So yes, the verifier needs to know the. KeeChallenge works using the HMAC-SHA1 challenge response functionality built into the Yubikey. It will allow us to generate a Challenge response code to put in Keepass 2. Support is added by configuring a YubiKey slot to operate in HMAC-SHA1 challenge-response mode. This sets up the Yubikey configuration slot 2 with a Challenge Response using the HMAC-SHA1 algorithm, even with less than 64 characters. Add a "Recovery" box to the challenge-response area that allows a hex string to be entered and used for the challenge response computation. HMAC-SHA1 Challenge-Response; Static Password; OATH-HOTP; USB Interface: OTP. Quite for a while the yubikey supports a challenge response mode, where the computer can send a challenge to the yubikey and the yubikey will answer with a response, that is calculated using HMAC-SHA1. While these issues mention support of challenge-response through other 3rd party apps: #137 #8. Choose PAM configuration In order for KeePassXC to properly detect your Yubikey, you must setup one of your two OTP slots to use a Challenge Response. If you're using the yubikey with NFC you will also need to download an app called "ykDroid" from the playstore- this is a passive application that acts as a driver. In my experience you can not use YubiChallenge with Keepass2Android - it clashes with its internal Yubikey Neo support, each stealing the NFC focus from the other. All glory belongs to Kyle Manna This is a merge in feature/yubikey from #119 @johseg you can add commit by pushing to feature/yubikey branch. The YubiKey 5C NFC combines both USB-C and NFC connections on a single security key, making it the perfect authentication solution to work across any range of modern devices and leading platforms such as iOS, Android, Windows, macOS, and Linux. KeeChallenge sends the stored challenge to the YubiKey The response is used for decrypting the secret stored in the XML file The decrypted secret is used for decrypting the database There are several issues with this approach: The secret key never changes, it only gets reencrypted. Setup. It was not working that good because sometimes the OtpKeyProv plugin did not recognize my input when i pressed the button too fast. HMAC Challenge/Response - spits out a value if you have access to the right key. I followed a well-written post: Securing Keepass with a Second Factor – Kahu Security but made a few minor changes. Now on Android, I use Keepass2Android. install software for the YubiKey, configure the YubiKey for the Challenge-Response mode, store the password for YubiKey Login and the Challenge-Response secret in dom0, enable YubiKey authentication for every service you want to use it for. In order for KeePassXC to properly detect your Yubikey, you must setup one of your two OTP slots to use a Challenge Response. UseKey (ReadOnlyMemory<Byte>) Explicitly sets the key of the credential. KeePass enables users to store passwords in a highly-encrypted database, which can only be unlocked with one master password and/or a key file. Open Yubikey Manager, and select. In this mode of authentication a secret is configured on the YubiKey. Use "client" for online validation with a YubiKey validation service such as the YubiCloud, or use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1. The YubiKey then enters the password into the text editor. action. Ensure that the challenge is set to fixed 64 byte (the Yubikey does some odd formatting games when a variable length is used, so that's unsupported at the moment). 2 and later supports HMAC-SHA1 or Yubico challenge-response operations. Using the challenge passphrase they could get the response from the Yubikey and store it, and then use it to decrypt the hard drive at any time without the Yubikey. Yubico OTP na 1-slot short touch, myślę że chyba dobrze skonfigurowałem. We are very excited to announce the release of KeePassXC 2. hmac. Ensure that the challenge is set to fixed 64 byte (the Yubikey does some odd formatting games when a variable length is used, so that's unsupported at the moment). In order to use OnlyKey and Yubikey interchangeably both must have the same HMAC key set. Customize the Library The YubiKey USB authenticator has multi-protocol support, including FIDO2, FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, smart card (PIV), OpenPGP, and challenge-response capabilities, providing. x firmware line. Advantages of U2F include: A Yubikey response may be generated in a straightforward manner with HMAC-SHA1 and the Yubikey's secret key, but generating the Password Safe Yubikey response is a bit more involved because of null characters and operating system incompatibilities. The two slots you're seeing can each do one of: Static Password, Yubico OTP, Challenge-Response (Note: Yubico OTP isn't the same as your typical use case of OATH-TOTP) If you're using Yubico Authenticator for your OTP, and you've done the typical "Scan this QR code / Use these settings" to set it up, that's being stored in the OATH area. Here is how according to Yubico: Open the Local Group Policy Editor. You can also use the tool to check the type and firmware of a YubiKey, or to perform batch programming of a large number of YubiKeys. Weak to phishing like all forms of otp though. Single-factor (YubiKey only) authentication is not recommended for production use, as a lost or stolen YubiKey. Configure a static password. YubiKey 5Ci and 5C - Best For Mac Users. Open up the Yubikey NEO Manager, insert a YubiKey and hit Change Connection Mode. A YubiKey with configuration slot 2 available; YubiKey Manager; KeePass version 2. The U2F application can hold an unlimited number of U2F. The YubiKey response is a HMAC-SHA1 40 byte length string created from your provided challenge and 20 byte length secret key stored inside the token. Among the top highlights of this release are. Unlike a YubiKey, the screen on both Trezor and Ledger mitigate the confused deputy/phishing attack for the purposes of FIDO U2F. Mind that the Database Format is important if you want to use Yubikey over NFC to unlock database on Android devices. Open Yubikey Manager, and select Applications -> OTP. The YubiKey will then create a 16. For a new KeePass database, on the Create Composite Master Key screen, enter your desired master password, then check Show expert options, check Key file / provider, select YubiKey challenge-response, and click OK. In the password prompt, enter the password for the user account listed in the User Name field and click Pair. HMAC-SHA1 Challenge-Response; Static Password; OATH-HOTP; USB/NFC Interface: OTP OATH. The YubiKey computes HMAC-SHA1 on the Challenge using a 20 byte shared secret that is programmed into the YubiKey and the calculated digest i. 0), and I cannot reopen the database without my YubiKey, that is still only possible with YubiKey. CHALLENGE_RESPONSE, which accepts an extra byte [] challenge and returns an extra byte [] response. 40 on Windows 10. All four devices support three cryptographic algorithms: RSA 4096, ECC p256, and ECC p384. Plug in the primary YubiKey. The attacker doesn't know the correct challenge to send for KeePass, so they can't spoof it. The Password Safe software is available for free download at pwsafe. Use the KeeChallenge plugin with Keepass2 on the Desktop, and the internal Challenge. On Arch Linux it can be installed. Steps to Reproduce (for bugs) 1: Create a database using Yubikey challenge-response (save the secret used the configure the. 1b) Program your YubiKey for HMAC-SHA1 Challenge Response using the YubiKey Personalization Tool. It is my understanding that the only way you could use both a Yubi and a nitro to unlock the same db would be to use the static password feature on both devices. kdbx" -pw:abc -keyfile:"Yubikey challenge-response" Thanks DirkGenerating the passphrase makes use of the YubiKey's challenge-response mode. Command APDU info. ykpass . YubiKey challenge-response support for strengthening your database encryption key. 1 Introduction. . . Be able to unlock the database with mobile application. Select HMAC-SHA1 mode. To do this. Yubikey needs to somehow verify the generated OTP (One Time Password) when it tries to authenticate the user. I agree - for redundancy there has to be second option to open vault besides Yubikey (or any other hardware token). In this case, the cryptographic operation will be blocked until the YubiKey is touched (the duration of touch does not matter). The 5Ci is the successor to the 5C. 0 from the DMG, it only lists "Autotype". The recovery mode from the user's perspective could stay the. Commands. 6. Update: Feel like a bit of a dope for not checking earlier, but if you go to the KeePassXC menu, then click About KeePassXC, at the bottom of the resulting window it lists "Extensions". This mode is used to store a component of master key on a YubiKey. So a Yubico OTP in slot 1 and a challenge response secret in slot 2 should work fine. For challenge-response, the YubiKey will send the static text or URI with nothing after. Note that Yubikey sells both TOTP and U2F devices. The YubiKey personalization tool allows someone to configure a YubiKey for HOTP, challenge response, and a variety of other authentication formats. See the man-page ykpamcfg(1) for further details on how to configure offline Challenge-Response validation. Paste the secret key you made a copy of earlier into the box, leave Variable Length Challenge? unchecked, and. 2 Revision: e9b9582 Distribution: Snap. devices. 4. Step 3: Program the same credential into your backup YubiKeys. Program an HMAC-SHA1 OATH-HOTP credential. A YubiKey has two slots (Short Touch and Long Touch). Keepass2Android and. The Challenge Response works in a different way over HID not CCID. and can be used for challenge-response authentication. 4. Scan yubikey but fails. Instead they open the file browser dialogue. Remove your YubiKey and plug it into the USB port. Manage certificates and PINs for the PIV application; Swap the credentials between two configured. 2. KeeChallenge works using the HMAC-SHA1 challenge response functionality built into the Yubikey. 0 ! We have worked long and hard to bring you lots of new features and bug fixes in a well-rounded release. YubiKey Personalization Tool shows whether your YubiKey supports challenge-response in the lower right. Click Applications. It will become a static password if you use single phrase (Master Password). Please add funcionality for KeePassXC databases and Challenge Response. Something user knows. md","path. The YubiKey 5C NFC is the latest addition to the YubiKey 5 Series. Configuring the OTP application. kdbx created on the computer to the phone. The YubiKey Personalization Tool can help you determine whether something is loaded. CLA INS P1 P2 Lc Data; 0x00: 0x01 (See below) 0x00 (varies) Challenge data: P1: Slot. 4. If it does not start with these letters, the credential has been overwritten, and you need to program a new OTP. If you. moulip Post subject: Re: [HOW TO] - Yubikey SSH login via PAM module. Download. There are a number of YubiKey functions. So I use my database file, master. My Configuration was 3 OTPs with look-ahead count = 0. Yubikey Personalization Tool). AppImage version works fine. FIDO2, FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response” [1] So one key can do all of those things. Or it could store a Static Password or OATH-HOTP.