What is YubiKey

  • Developed by YubiCo
  • It is a Multi-Factor Authentication (MFA) Device
  • It emits a unique one-time-password (OTP) when activated
  • Allows users to securely log into their devices
  • We support YubiKey 4 & 5 in OTP mode
  •  User authentication is handled strictly by Known Access security
  • To start user authentication, YubiKey seed file needs to be uploaded
  • Authentication success or failure is notified to the user

About YubiKey Architecture

  • Yubikey has two programmable slots
  • Slot #1 comes pre-programmed
  •  Slot #2 comes empty and can be programed
  • Slot #1 can be re-programmed
  • Yubikey5 has a USB interface
  • Has a touch sensitive area
  • When touch sensitive area is touched, it generates an OTP
  • When touched for .5 to 1.5 seconds, it gives OTP from Slot #1
  •  Touch for 2 to 5 seconds, it gives OTP from Slot #2

How to Program YubiKeys using YubiCo’s Personalization Tool

  • Download the YubiCo’s Personalization Tool to create a configuration file
  • Open the personalization tool and go to the Settings
  • General Settings – No Change
  • Output Settings – No Change
  • Output Speed Throttling – Keep the “Standard” output character rate
  • Serial # Visibility Setting – Check mark “Button at startup”
  • Serial # Visibility Setting – Check mark “API call”
  •  Update Settings – Check mark “Unable updating of Yubikey configuration”
  • Logging Settings – Check mark “Log configuration output” & set the format to “Yubico format”

Next Step – YubiKey OTP Configuration

  • Go to “YubiCo OTP” screen
  • Select “Configure Slot 1” 
  • Select “Program Multiple Yubikeys”
  • Select “Automatically program Yubikeys when inserted”
  • For Parameter Generation Scheme please pick “Identity from serial, Randomize Secrets”
  •  Under “YubiCo OTP Parameters” select “Public Identity” & “Private Identity”
  • Please click on the “Generate” buttons for Public Identity, Private Identity & Secret Key.
  • Select “Write Configuration” button
  • Provide a configuration file name when prompted
  • Under “YubiKey(s) Protection (6 bytes Hex” please pick “Enable protection”
  • For “New Access Code” please select a 6 byte access code that you will be using to re-program your keys. 
  • At this point OTP screen is configured. Now insert one Yubikey at a time and you will notice an additional  configured Yubikey at the bottom of the screen.

How to Load the YubiKey Configuration File

  • When the YubiKey programming is done, a configuration file is created. 
  • The name of the configuration file was picked when the “Write Configuration” button, in the OTP screen, was clicked for the first time.
  • Bring that configuration file to the Known Access CSAC server.
  • Load the file using the command: 
  • load_yubikey  YubiKey-Configuration-File-Name
  • The YubiKey configuration is loaded into the Known Access Server
  • Administrators can assign the YubiKeys to their users
  • There is a capability to auto-assign Yubikeys to the users

How to Enable, Disable & Delete Stolen YubiKeys

  • Administrators can very easily unassign a Yubikey from a user
  • A Yubikey can be disabled
  • A disabled Yubikey can be enabled
  • A YubiKey can be re-assigned  to the same user
  • An unassigned YubiKey can be re-assigned to a different user
  • A Yubikey can be re-programmed at anytime
  • A re-programmed YubiKey configuration file can be loaded without deleting the earlier programmed YubiKeys
  • All re-programmed Yubikeys are over-written in the database
  • All saved YubiKey configuration files are kept encrypted

How to Authenticate using YubiKey

  • User connects the YubiKey with USB connector to desktop
  • Every time you press on YubiKey, it emits a unique one-time password (OTP)
  • At the time of initial user configuration a temporary codeword is issued the user that must be used with the YubiKey OTP
  • The YubiKey user must login using the assigned UserID & passcode ( temporary codeword followed by YubiKey OTP)
  • If the authentication is successful, the user is asked to change the temporary codeword
  • Also if it was the first authentication attempt then the YubiKey just used by the user is assigned to the user
  • Once a YubiKey is assigned to the user, the user must use that particular YubiKey in the future. Use of any other YubiKey will not be allowed
  • If a YubiKey user logs in using UserID and Codeword only then the user will be prompted to enter the YubiKey OTP
  • A user authenticating with a disabled YubiKey will not be allowed the access

Different States of YubiKey

  • New – Never Assigned
  • Unassigned – It was assigned earlier to someone
  • Assigned – It is already assigned to someone
  • Disabled – An Administrator can disable any YubiKey

Troubleshooting

  • If you get an unrecognizable YubiKey public key then make sure all your YubiKey configuration files are loaded
  •  Make sure the user is using the correct slot number for authenticating with the Known Access servers
  • Make sure the user is using the YubiKey that is assigned to him/her.
  • Use of disabled YubiKey will result in authentication failure
  • Use of YubiKey OTP without codeword will result in failure
  •  Use of wrong codeword with correct YubiKey OTP will result in failure
  • Use of right YubiKey OTP with wrong register values will result in failure