I added a hardware security key to my MacBook, and it made my logins faster and safer
Jason Hiner/ZDNET
For the past few months, I’ve been alternating my laptop usage between a Surface Pro 9 (running Windows 11) and an M2-powered MacBook Air. There’s always a bit of an adjustment when switching between platforms, but I found one aspect of the MacBook especially frustrating: After a restart, I have to enter the local user account password before I can use the TouchID fingerprint recognition hardware. Can’t MacOS work more like Windows Hello, which lets me sign on anytime using biometrics or a PIN?
Also: The best security keys: Expert tested and reviewed
Well, yes, it can! As long as you have the right hardware, that is.
Specifically, you need a USB security key that supports the Personal Identity Verification (PIV) standard and can act as a smart card for login purposes. As it turns out, anything in the YubiKey 5 series from Yubico meets these standards. Now, I just happen to have a few of these versatile keys hanging around, so I decided to make my MacBook a little easier to use, with their help.
Here’s how I did it.
I started with a YubiKey 5 Nano, which is a remarkably small gizmo that plugs into one of the MacBook’s two USB-C ports and sticks out just a tiny fraction of an inch. That’s it on the far right in this family photo of the YubiKey 5 series.
For any modern MacBook, you can use one of these Series 5 YubiKeys with a USB Type-C connector
Image credit: Yubico
I could have used a more traditional key that’s designed to be plugged in and removed at the end of a session, but I was especially attracted to this device’s capability to remain plugged in without my having to carry it separately.
The setup process is fairly straightforward and is documented in this Yubico support article, “Using Your YubiKey as a Smart Card in MacOS.” For these instructions, I assume you’re starting with a new hardware key that’s never been previously configured.
How to set up your YubiKey on MacOS
Step 1: Download the YubiKey Manager app and install it on the Mac.
Click PIN Management to configure the hardware key before using the Setup for MacOS option
Screenshot by Ed Bott/ZDNET
Open YubiKey Manager, click Applications > PIV, and click PIN Management. Make the following changes:
- Set a new PIN. Click Change PIN and change the default value of 123456 to a value of your choosing, between 6 and 8 characters. Use numbers only, as MacOS does not support non-numeric characters for a PIN. This is the value you will type to unlock your Mac.
- Set a new PIN Unlock Key (PUK). Click Change PUK and change the default value from 12345678 to one of your choosing, between 6 and 8 characters (numbers only). Keep a record of this code in a safe place. If the wrong PIN is entered three consecutive times, the PIN is blocked, and entering the PUK is the only way to unblock it. If you can’t supply the correct PUK, or if you enter the wrong PUK three consecutive times, you’ll need to reset the hardware key and start over.
- Set a new Management Key. Click Change Management Key and then click Generate to change the 48-character triple-DES key to a new random value. You’re not expected to remember this value, so also select the Protect with PIN checkbox here, and then click Finish.
Open YubiKey Manager, click Applications > PIV, click Setup for MacOS, and then click Setup for MacOS. (Yes, that’s a second button with the same label as the previous one.)
This process pairs your hardware key with the certificates associated with the PIV application, turning your key into a MacOS-compatible smart card. Confirm that you want to overwrite the existing values, then enter your PIN and click OK.
Remove the hardware key and reinsert it. MacOS will prompt you to associate the hardware key/smart card with your user account. Click that notification to begin the pairing process.
Click the notification in the upper right corner to pair your hardware key with MacOS
Screenshot by Ed Bott/ZDNET
Pay close attention to the screens that follow. You’ll need to enter the hardware key’s PIN, followed by the password for your MacOS user account, followed by the password for your iCloud Keychain (which is probably the same as your account password).
And that’s it. The next time you restart your MacBook, you can type your PIN instead of having to enter your password. That unlocks the TouchID fingerprint reader, which you can then use to sign in after you resume from sleep.
Also: I tried two passwordless password managers, and was seriously impressed by one
If the YubiKey isn’t inserted when you restart (or resume from a long sleep session), you’ll be prompted to enter your password. You can plug in the key to change that prompt and use your PIN instead.
In this configuration, you can safely change your password to be longer. (Experts say it should be at least 12 characters in length, but feel free to change it to a passphrase that contains upper- and lower-case letters and at least one number.) You’ll still need to type that passphrase occasionally to make system-level changes, but you won’t need it to sign in to your MacBook.
Editorial standards
Source: https://www.zdnet.com/article/i-added-a-hardware-security-key-to-my-macbook-and-it-made-my-logins-faster-and-safer/#ftag=RSSbaffb68
