4 Replies Latest reply: Oct 23, 2013 6:03 PM by DanErnst
DanErnst Level 1 Level 1 (0 points)

I want to use a YubiKey in static password mode to enter my login password for me on my on my MacBook Pro Retina (latest version) running OS X v10.8.4.

For those who don't know, the YubiKey is a USB device that mimics a keyboard and outputs a password. My yubikey is programmed to output a 64 character static (same every time) passcode, consisting of upper and lower case letters, and numbers (no special characters or spaces). There is no return on the end, so after pressing the yubikey button, I wait until all characters are output and the yubikey button light goes back on, and then I manually hit the return key.

To try this out, I added a new account (with administrator rights). In the first password entry, I touch the yubikey button to have it enter the static password. For the second entry, I copied and pasted the same static password from a text document I had open, which I had used to capture the yubikey password output just so I could see it and verify it was what I had intended. I received no error, so I knew that what the yubikey was outputting in the first blank exactly matched what I saw and pasted into the second, and the account was created successfully.

Now here's the strange thing;

I restarted the computer, chose the new user, pressed the yubikey button, waited for input to be completed and the yubikey button to light again, then manually hit the return key. The login input shook, indicating an incorrect password. I tried again several times. Same result.

So I logged in using my original user account.

And then I found an even stranger thing;

I logged out of the old account, and tried logging in to the new user account. This time the password challenge successfully accepted my yubikey input.

I've tried this several times, and the results are exactly the same. If I try logging directly in to the new account with a yubikey right after starting or restarting the computer, I get an error. But if I log in to any other account, log out, choose the new account and log in again, it accepts the yubikey password.

It also works when switching users, as long as some other user is signed in before the yubikey account.

 

Why is the exact same yubikey output denied at initial login, yet accepted after logging out of another account or switching? There must be some difference between an initial user login and a subsequent login. I have filevault turned on. Perhaps it has something to do with that, in that the initial login unlocks filevault and a subsequent login doesn't have to? Perhaps there is a password length limit, and 64 characters is just too long for the initial login screen (or filevault)?

I have not tried this with a yubikey programmed to output a shorter password, but that's next.

Has anyone else had a similar experience with really long passwords at login?


MacBook Pro with Retina display, OS X Mountain Lion (10.8.4)