[et_pb_section fb_built=”1″ _builder_version=”4.17.1″ background_image=”https:\/\/shop.thekernel.ua\/wp-content\/uploads\/2019\/05\/Security-Key-NFC-by-Yubico-Laptop-1030×687.jpg” parallax=”on” min_height=”610px” custom_margin=”-160px||-3px||false|false” custom_padding=”37px||22px|||” locked=”off” global_colors_info=”{}”][et_pb_row custom_padding_last_edited=”on|phone” _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” width_tablet=”” width_phone=”92%” width_last_edited=”on|desktop” custom_margin=”|auto|0px|auto|false|false” custom_padding=”146px||0px|||” custom_padding_tablet=”0px||||false|false” custom_padding_phone=”84px||||false|false” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text _builder_version=”4.16″ text_font=”|900|||||||” text_text_color=”#ffffff” text_font_size=”65px” text_letter_spacing=”2px” text_line_height=”1.8em” header_font=”|800|||||||” header_text_color=”#ffffff” header_font_size=”65px” header_letter_spacing=”2px” header_line_height=”1.8em” text_orientation=”center” custom_margin=”0px||||false|false” custom_margin_phone=”0px||||false|false” custom_margin_last_edited=”off|desktop” text_font_size_tablet=”49px” text_font_size_phone=”38px” text_font_size_last_edited=”on|tablet” text_line_height_tablet=”1.8em” text_line_height_phone=”1.8em” text_line_height_last_edited=”on|desktop” header_font_size_tablet=”” header_font_size_phone=”38px” header_font_size_last_edited=”on|desktop” text_text_shadow_style=”preset1″ header_text_shadow_style=”preset1″ text_text_align=”center” global_colors_info=”{}”]<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section][et_pb_section fb_built=”1″ _builder_version=”4.16″ background_color=”#f2f2f2″ custom_margin=”|0px||0px|false|false” custom_padding=”|0px||0px|false|false” global_colors_info=”{}”][et_pb_row _builder_version=”4.16″ width_tablet=”91%” width_phone=”92%” width_last_edited=”on|tablet” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ header_2_text_color=”#111″ global_colors_info=”{}”]<\/p>\n
[\/et_pb_text][et_pb_text _builder_version=”4.16″ text_text_color=”#333333″ text_font_size=”18px” global_colors_info=”{}”]<\/p>\n
With hardware security keys, you can get the additional protection of two-factor authentication to make your login procedure secure. Follow these step-by-step instructions to easily set up a YubiKey with macOS.<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section][et_pb_section fb_built=”1″ _builder_version=”4.16″ global_colors_info=”{}”][et_pb_row _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” width=”92%” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text _builder_version=”4.17.1″ text_text_color=”#333″ text_font_size=”16px” header_text_color=”#111″ global_colors_info=”{}”]<\/p>\n
(Up)<\/a><\/span> (Up)<\/a><\/span> Note:<\/strong> Enabling full disk encryption (FDE) with FileVault is highly recommended when using the macOS Login Tool. If you do not enable FDE, it is possible to reboot the Mac into recovery mode and disable the 2FA requirement.<\/p>\n You will need software to set up YubiKey Manager<\/a>.<\/p>\n Repeat these steps for any additional YubiKeys that you want to use. It is highly recommended to set up a spare YubiKey in order to be able to access your Mac in case the main YubiKey is lost or broken.<\/p>\n Repeat these steps for any additional YubiKeys that you want to use.<\/p>\n Note:<\/strong> If you receive an error similar toFile \/Users\/username\/.yubico\/challenge-7122584 already exists, refusing to overwrite<\/span>this indicates you have already associated this YubiKey with your account. If you are reconfiguring the YubiKey with a new challenge-response secret, you need to delete this file before running the ykpamcfg -2<\/span>command.<\/p>\n (Up)<\/a><\/span> To get started, make sure your Mac is set to require a password as soon as the screen saver starts.<\/p>\n Now the Mac can be configured to require two-factor authentication for the screensaver.<\/p>\n To test the configuration, press Command+Ctrl+Q<\/strong> to lock the Mac. Make sure your YubiKey is not plugged in to the Mac and attempt to login; you should not be able to login, even with the correct password. Then plug in the YubiKey and make sure you can log in after entering the correct password.<\/p>\n (Up)<\/a><\/span> (Up)<\/a><\/span> You can analyze the \/var\/log\/pam_yubico.log<\/span> file to see where the issue is. Or contact Yubico support<\/a> and submit the log data.<\/p>\n (Up)<\/a><\/span>
\nYubiKey 5 NFC, YubiKey 5 Nano, YubiKey 5C, YubiKey 5C Nano, YubiKey NEO, YubiKey 4, YubiKey 4 Nano, YubiKey 4, YubiKey 4C Nano.<\/p>\nIntroduction<\/h2>\n
\nThe macOS Login Tool allows for secure two-factor authentication on Macs using the HMAC-SHA1 challenge-response feature of the YubiKey.<\/p>\nInstallation<\/h2>\n
\n(Up)<\/a>
\n<\/span><\/p>\n\n
Configuration<\/h2>\n
\n(Up)<\/a>
\n<\/span><\/p>\nConfiguring Your YubiKeys<\/h3>\n
\n
Associating Your YubiKeys with Your Account<\/h3>\n
\n(Up)<\/a>
\n<\/span><\/p>\n\n
\n
Testing the Configuration<\/h3>\n
\nBefore you enable mandatory two-factor authentication on your Mac, you should verify that the configuration works. This is achieved by enabling the requirement only for the screensaver first; if something goes wrong and it does not work you can reboot your Mac and log in normally with just your password.<\/p>\n\n
\n
auth required \/usr\/local\/lib\/security\/pam_yubico.so mode=challenge-response<\/code><\/p>\n\n
Enabling the Configuration<\/h3>\n
\nOnce you’ve verified that the configuration works, follow the step-by-step instructions below to enable two-factor authentication for the login screen, as well as for the screen saver.<\/p>\n\n
auth required \/usr\/local\/lib\/security\/pam_yubico.so mode=challenge-response<\/code><\/p>\n\n
Troubleshooting<\/h2>\n
\nIf you run into issues with the macOS Login Tool after following this guide, you can follow the steps below to enable debug logging, which will provide insight into the issue.<\/p>\n\n
Uninstalling the macOS Login Tool<\/h2>\n
\nYou can use the script in the Uninstalling the macOS Login Tool<\/a>article to uninstall the tool from your Mac.<\/p>\n