YubiKey and Mac OS X FileVault
š” This post is very old now and the information below may well be inaccurate.
If thereās one thing I seem to be obsessed with lately and thatās security. Iāve never had any of my accounts hacked but that doesnāt stop me. It happens all the time though and working in IT I should know how to prevent it. If you havenāt heard about YubiKey and you want to prevent getting your accounts hacked then you should check it out, itās basically a USB key that anything you plug it into will see as a keyboard, if the application youāre authenticating against supports it then it can generate one-time passwords for you so even keyloggers canāt catch you out. It works with the likes of Gmail & Dropboxās two-factor authentication, more and more services are starting to add it as a security feature. YubiKey allows you to use one of itās memory banks for a 32 character static password for services and devices that donāt support two factor authentication, such as Mac OS X FileVault. When you enable FileVault it requires you to enter your password pre-boot so that it can decrypt your stuff, similar to TrueCrypt and Bitlocker for Windows. So I setup a 32 character randomly generated password on my YubiKey and then set this as my OS X login password. I rebooted and hereās where the issue occurs, I press the button on my YubiKey to enter the password and OS X tells me wrong password.
Apparently there is a bug in the EFI firmware that doesnāt like with the speed at which the YubiKey enters the password and causes it to drop a few characters.
There is a workaround for this.
Using the YubiKey Personalization Tool that you programmed your YubiKey with you can set Output Character Rate, this is the speed in which the YubiKey types the characters. There are three increments in speed, I found that 40ms works great, 20ms suffered from the same issue however
So there it is, if youāre using youāve programmed your YubiKey with a static password and youāre having problems authenticating at boot after enabling OS X FileVault then set your Output Character Rate to 40ms delay. Vuala!