Reference Material | Yubikey
The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services. It generates one time passwords (OTP) that can be used with Specops Authentication.
In order to let users authenticate using their Yubikeys, it needs to be configured as an identity service in Authentication Web. This procedure assumes that the administrator also has a registered Yubikey they can authenticate with.
- Go to the Yubico API key signup page.
- Input the administrator email address and the Yubikey OTP, then click Get API key. A Client ID and a Secret Key are displayed on the page.
- In Authentication Web, go to Identity Services, and click on the configuration icon besides Yubikey in the list.
- Enter the Client ID and Secret key you just generated in the Yubico client ID and Yubico client secret fields, respectively.
- Generate another Yubikey OTP and enter it in the OTP code field.
- Click Save to save the configuration
Users can enroll their Yubikey device by going to the enrollment page and selecting Yubikey. They then need to generate an OTP by clicking the the physical button on their Yubikey to register their device with Specops Authentication.
Users can register a maximum of 5 separate devices with Specops Authentication. To register additional devices, go to the enrollment page,
Enrollment by admin
Administrators can enroll devices using the device’s public ID, which can be obtained from Yubico. Run the following command, with the username and deviceid filled out, respectively (without square brackets):
Add-SAYubiKeyEnrollment -Username [user_name] -DeviceId [device_id] -Verbose
Multiple devices can also be imported using a CSV file. Parameter names (Username and DeviceId) should be in the headers and values seperated by commas. Then read the file in powershell and send it to the cmdlet (replace path_to_csv_file with the actual path to the file, omitting the square brackets):
Get-Content [path_to_csv_file] | ConvertFrom-Csv | Add-SAYubiKeyEnrollment -Verbose
When users have registered multiple devices, the devices are listed underneath the authentication field. Clicking on one of the devices will reveal information on the device, as well as a Remove button. Clicking the button will remove the device.
Users can remove the entire enrollment by going to the Enrollment menu page.
Removal by admin
With the username administrators can remove the Yubikey enrollment for a specific user. This will remove all devices associated with this user. To remove the identity service, run the following script:
Remove-SpecopsAuthenticationIdentityServiceEnrollment -Username [user_name] -IdentityServiceId Yubikey -Verbose
Authenticating with Yubikey
To authenticate with Yubikey, users need to choose Yubikey on the Specops Authentication page, then click the button on the inserted Yubikey.