Yubikey

The Yubikey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services. It generates one time passwords (OTP) that can be used with Specops Authentication.

NOTE

Yubikey can only be used with Specops Authentication if the Yubikey supports Yubico OTP (One Time Password) as a security function. These are: Yubikey 5 Series and Yubikey FIPS Series.

Use the following links to identify your Yubikey and see its functions.

Configuring Yubikey


In order to let users authenticate using their Yubikeys, it needs to be configured as an identity service in Authentication Web. This procedure assumes that the administrator also has a registered Yubikey they can authenticate with.

  1. Go to the Yubico API key signup page.
  2. Input the administrator email address and the Yubikey OTP, then click Get API key. A Client ID and a Secret Key are displayed on the page.
  3. In Authentication Web, go to Identity Services, and click on the configuration icon next to Yubikey in the list.
  4. Enter the Client ID and Secret key you just generated in the Yubico client ID and Yubico client secret fields, respectively.
  5. Generate another Yubikey OTP and enter it in the OTP code field.
  6. Click Save to save the configuration

Enrollment


Manual enrollment

Users can enroll their Yubikey device by going to the enrollment page and selecting Yubikey. They then need to generate an OTP by clicking the the physical button on their Yubikey to register their device with Specops Authentication.

Multiple devices

Users can register a maximum of 5 separate devices with Specops Authentication. To register additional devices, go to the enrollment page.

NOTE
Users can enter a friendly name for each device to make them more easily identifiable.
NOTE
It is also possible to have multiple OTP generators on the same device using long- and short press. Use the Yubikey admin tool to edit the two memory slots on the device: https://www.yubico.com/support/download/yubikey-manager/​​

Enrollment by admin

Administrators can enroll devices using the device’s public ID, which can be obtained from Yubico. Run the following command, with the username and deviceid filled out, respectively (without square brackets):

Copy
Add-SAYubiKeyEnrollment -Username [user_name] -DeviceId [device_id] -Verbose

Multiple devices can also be imported using a CSV file. Parameter names (Username and DeviceId) should be in the headers and values seperated by commas. Then read the file in powershell and send it to the cmdlet (replace path_to_csv_file with the actual path to the file, omitting the square brackets):

Copy
Get-Content [path_to_csv_file] | ConvertFrom-Csv | Add-SAYubiKeyEnrollment -Verbose

Device Removal


Manual Removal

When users have registered multiple devices, the devices are listed underneath the authentication field. Clicking on one of the devices will reveal information on the device, as well as a Remove button. Clicking the button will remove the device.

Users can remove the entire enrollment by going to the Enrollment menu page.

Removal by admin

With the username administrators can remove the Yubikey enrollment for a specific user. This will remove all devices associated with this user. To remove the identity service, run the following script:

Copy
Remove-SpecopsAuthenticationIdentityServiceEnrollment -Username [user_name] -IdentityServiceId Yubikey -Verbose

Authenticating with Yubikey


To authenticate with Yubikey, users need to choose Yubikey on the Specops Authentication page, then click the button on the inserted Yubikey.