YubiKey (MFA) (2024)

Table of Contents
Before you begin Create a YubiKey configuration file Troubleshoot the Configuration Secrets file Activate the YubiKey factor and add the YubiKey View a list of assigned and unassigned YubiKey Revoke the YubiKey Delete the YubiKey OTP factor End-User experience Enroll a YubiKey for the first time on a desktop browser Use YubiKey in OTP mode at subsequent desktop browser sign-ons Enrollment failure Supported protocols and communication channels FAQs

A YubiKey is a brand of security key used as a physical multifactor authentication device. To use it, the user inserts the YubiKey into a USB port on their computer when they're signing in and taps the YubiKey's button when prompted. The YubiKey may provide a one-time password (OTP) or perform fingerprint (biometric) verification, depending on the type of YubiKey the user presents.

This topic provides instructions for setting up and managing the YubiKey using the OTP mode. To use the YubiKey for biometric verification, see FIDO2 (WebAuthn).

To use this multifactor authentication (MFA) factor, generate a CSV file of the YubiKey that you import using a tool from YubiKey's maker, Yubico. Then activate the YubiKey factor and import the CSV file. Users activate their YubiKey the next time they sign in to Okta.

YubiKey in OTP mode isn't a phishing-resistant factor.

Before you begin

Before you can enable the YubiKey factor, you need to configure the YubiKey and generate a YubiKey OTP Secrets file (also known as the YubiKey Seed File) using the YubiKey Personalization Tool. The YubiKey OTP secrets file is a CSV that you upload into Okta to activate the YubiKey. See Programming the YubiKey for Okta Adaptive Multifactor Authentication. After you generate the YubiKey OTP Secrets file, save it to a secure location.

Don't create a YubiKey OTP secrets file manually. Only the YubiKey Personalization Tool can populate the public and private key information for each YubiKey. If this information is missing, the YubiKey may not work properly.

See Also
Get started with YubiKey 5 SeriesGet started with Security Key SeriesThree Reasons You Need a Spare Key for your Home - Keycafe Blog

After you configure the YubiKey and upload the YubiKey OTP secrets file to Okta, distribute the YubiKey to your end users.

Create a YubiKey configuration file

Before you can enable the YubiKey integration as a multifactor authentication option, obtain and upload a Configuration Secrets file generated through the YubiKey Personalization Tool. Find details on generating this file (which might also be called a YubiKey or Okta secrets file) in Programming the YubiKey for Okta Adaptive Multi-Factor Authentication.

The Configuration Secrets file is a CSV that allows you to provide authorized YubiKey to your org's end users. Yubico sends the requested number of "clean" hard tokens that you can distribute to your end users.

Be sure to read and follow the instructions found in Programming YubiKey for Okta Adaptive Multi-Factor Authentication carefully. Once completed, follow the steps under Uploading into the Okta Platform found in Using YubiKey Authentication in Okta.

Troubleshoot the Configuration Secrets file

If you encounter problems with generating your Configuration Secrets file or in configuring your YubiKey, verify that you've completed the following tasks.

  • Select Configuration Slot 1. Each YubiKey is configured for the YubiCloud in Configuration Slot 1 by default. If you plan to use your YubiKey for services other than Okta, you can use Slot 2 for Okta configuration. However, if you're experiencing errors, it's a best practice to use Configuration Slot 1 exclusively for Okta.

  • Click all three Generate buttons. Verify that you've clicked all three of the Generate buttons.

  • <![CDATA[ ]]>Verify that the Public Identity value is in the generated OTP file. If the Public Identity value isn't present, the YubiKey isn't configured correctly.
  1. Open the CSV file generated by the YubiKey Personalization Tool.
  2. Note the Public Identity value, listed as the second value item in the file.
  3. Open a text editor, then tap the YubiKey that was configured for use with Okta. Allow YubiKey to generate the OTP within the text editor.
  4. Search for the Public Identity value in the generated OTP. If it isn't present in the line of text, the YubiKey hasn't been successfully configured.

Activate the YubiKey factor and add the YubiKey

  1. In the Admin Console, go to SecurityMultifactor.
  2. Click YubiKey.
  3. Click Browse, find the YubiKey Seed File that you created using the YubiKey Personalization Tool, and click Open.
  4. Click Inactive and select Activate to enable the YubiKey factor.

View a list of assigned and unassigned YubiKey

After you add the YubiKeys, check the YubiKey report to verify that they're correct and view the status of each YubiKey.

  1. In the Admin Console, go to SecurityAuthenticators.

  2. In the Admin Console, go to SecurityMultifactor.

  3. Select the Factor Types tab.
  4. Select YubiKey.
  5. Click View Report.
  6. Use the criteria under the Filters pane to customize your search.
  7. Review the status of each YubiKey in the Status column:
  • The status appears as UNASSIGNED until the end user enrolls their YubiKey.
  • Once the end user has enrolled their YubiKey, the status changes to ACTIVE.
  • When you revoke a YubiKey, the status changes to REVOKED.

Revoke the YubiKey

Revoking a YubiKey allows you to decommission a single YubiKey, such as when it has been reported as lost or stolen. In addition, revoking a YubiKey removes its association with the user to whom it was assigned.

If a user finds a lost YubiKey, don't reuse it. Discard it and configure a new YubiKey for the user.

  • For auditing purposes, you can't delete a YubiKey once assigned to a user. Even if you revoke or reassign it, it still appears in the YubiKey Report.
  • A YubiKey must be deleted and reuploaded to reassign it to a user.
  • A YubiKey that hasn't been assigned to a user may be deleted.
  • A YubiKey serial can't be removed if it's currently active for a user.

  1. In the Admin Console, go to SecurityMultifactor.

  2. Select the Factor Types tab.
  3. Select YubiKey.
  4. Paste the serial number into the Revoke YubiKey Seed field and click Find YubiKey. Information about the YubiKey appears.
  5. Click Revoke. The confirmation message appears.
  6. Click Done.

Delete the YubiKey OTP factor

If you delete the YubiKey factor, you also delete all YubiKeys used for one-time password mode. It doesn't delete the YubiKey used in biometric mode. You can't undo this action.

  1. In the Admin Console, go to SecurityMultifactor.

  2. Select YubiKey.
  3. Click Active, then Deactivate.
  4. The Delete YubiKey factor prompt appears.
  5. Click Delete.

End-User experience

Enroll a YubiKey for the first time on a desktop browser

When the end user receives their newly provisioned YubiKey, they can activate it themselves by doing the following:

  1. Sign in to Okta.
  2. On the Set up factors page of the Sign-In Widget, click Set up under YubiKey. The Set up YubiKey page appears.
  3. Insert the YubiKey and tap its button when prompted.
  4. Click Verify. The Set up security methods page appears.
  5. Click Finish.

Use YubiKey in OTP mode at subsequent desktop browser sign-ons

After the end user has activated their YubiKey for one-time passwords, they can use it for multifactor authentication at subsequent sign-ons:

  1. Sign in to Okta.
  2. When the Verify with YubiKey page appears, insert the YubiKey and tap its button when prompted.

Okta uses session counters with the YubiKey. Your current OTP invalidates all previous ones. These OTPs may, however, still be valid for use on other websites.

Enrollment failure

If an end user is unable to enroll their YubiKey successfully, ensure that the token was successfully uploaded into the Okta platform. Review the YubiKey Report and search for the YubiKey's serial number for the end user who is attempting to enroll.

  • If the YubiKey appears in the YubiKey Report, and the status is Unassigned, the user may have reprogrammed their YubiKey and overwritten the secrets associated with it. The admin must create another YubiKey Configuration Secrets file and upload it to Okta.
  • If the YubiKey doesn't appear in the YubiKey Report, then you didn't properly upload the YubiKey secrets value. Upload it again into Okta.

Ensure that you've configured the appropriate YubiKey slot for the Okta configuration, and the end user is using the same slot to enroll their key in Okta.

Okta uses session counters with the YubiKey. Your current OTP invalidates all previous ones. However, these OTPs may still be valid for use on other websites.

Supported protocols and communication channels

Okta supports the following token modes:

Some YubiKey models may support other protocols, such as NFC. Refer to your YubiKey device specifications to confirm which protocols it supports.

YubiKey (MFA) (2024)

FAQs

Is YubiKey considered MFA? ›

A YubiKey is a brand of security key used as a physical multifactor authentication device.

Read On
Is YubiKey better than Microsoft Authenticator? ›

Authenticator apps provide a layer of security and are a convenient option for use by many, but they are still vulnerable to phishing due to the 30-second window. Security keys, like the YubiKey, are considered to be both more convenient and more secure. Yubico also provides a use in conjunction with the YubiKey.

Discover More Details
Is YubiKey more secure than 2FA? ›

Other 2FA methods typically only send you a six-digit code to confirm your identity, mostly because it would be unreasonable to expect humans to type much more than that. YubiKeys don't require you to manually enter a code, so they're free to use much longer codes. That's more secure.

Continue Reading
Is one YubiKey enough? ›

Yubico always recommends adding two keys to each of your online services and accounts; one primary and one secondary as backup in case the primary is lost.

See Details
What are the risks of YubiKey? ›

The theft scenario is indeed disturbing because if the thief learns your PIN and then steals the Yubikey, you're facing severe problems: the thief can easily check all your passkeys, get access to your accounts, remove all the passkeys and register only the stolen Yubikey, change the password, remove any other 2FA ...

Find Out More
Is Yubico a Chinese company? ›

Founded in 2007 by former CEO now Chief Evangelist Stina Ehrensvärd, Yubico is a private company with offices in Santa Clara, CA, Bellevue, WA, and Stockholm, Sweden. Yubico CTO, Jakob Ehrensvärd, is the lead author of the original strong authentication specification that became known as Universal 2nd Factor (U2F).

Tell Me More
Why use YubiKey instead of Google Authenticator? ›

Yubikey Authenticator boasts a higher level of security compared to software-based solutions. It can be used across multiple devices and even offers the convenience of passwordless login. However, it does have some drawbacks. Unlike Google Authenticator, Yubikey Authenticator lacks the ability to transfer backups.

Show Me More
What is the best 2 factor authentication method? ›

Here are some of the most effective 2FA methods: 1 SMS or Text Message Codes widely supported, easy to implement 2 Time-based One-Time Passwords (TOTP) widely supported by authenticator apps 3 Universal Second Factor (U2F) Security Keys: Physical key highly secure against phishing attacks 4 Biometric Authentication: ...

Explore More
Why is YubiKey so expensive? ›

It is costly to design, mould, manufacture, sell and support a hardware product, even something as small as this. Since you don't want your 2FA company to go out of business there is good value in knowing they have a stable business model that can actually support a company rather than just burning capital.

Continue Reading
What is the life expectancy of a YubiKey? ›

A Yubikey will essentially last forever, and if you stay clear of the insanity that is Passkeys its Webauthn element can support an infinite number of websites.

Show Me More

What is the most secure MFA? ›

Most Secure: Hardware Keys

External hardware keys, like Yubikeys, are among the strongest authentication factors available. Also called FIDO keys, they generate a cryptographically secure MFA authentication code at the push of a button.

Read The Full Story
What if someone steals YubiKey? ›

If you lose your Yubikey, you can still use your phone authenticator app, but you cannot create a backup Yubikey. However, Yubikey also provides methods to recover your account, so you can get a replacement. An advantage to Yubikey is that it comes on a USB that cannot be identified.

See Details
How many passkeys can a YubiKey hold? ›

The YubiKey works as a passkey generator that can create both the public and private keys necessary to begin passkey login with accounts, apps, services and vendors that enable it – a YubiKey serves as a repository for up to 100 unique passkeys.

Get More Info Here
Is the YubiKey security key enough? ›

The Yubico YubiKey 5C NFC supports many authentication protocols, so it works anywhere security keys are accepted. If you can make the most of its advanced features, such as signing and encrypting with OpenPGP, it's well worth the price.

Continue Reading
How many YubiKey should I have? ›

A: Many of our customers actually purchase several spares for maximum security and peace of mind. This is not a bad idea when guarding extremely critical accounts. Starting off, you should be fine with 1-2 spare keys.

View More
What counts as MFA? ›

Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.

View Details
Does Microsoft MFA support YubiKey? ›

Enterprises, government agencies, and consumers can prevent account takeovers and go passwordless with Microsoft Entra ID and the YubiKey.

See More
Is passwordless authentication considered MFA? ›

MFA vs Passwordless Authentication

Passwordless authentication simply replaces passwords with a more suitable authentication factor. On the other hand, MFA (multi-factor authentication) uses more than one authentication factor to verify a user's identity.

Learn More
What type of security is YubiKey? ›

The YubiKey 5 Series eliminates account takeovers by providing strong phishing defense using multi-protocol capabilities that can secure legacy and modern systems. The series provides a range of authentication choices including strong two-factor, multi-factor and passwordless authentication, and seamless touch-to-sign.

Discover More Details
Top Articles
FCSSX - Fidelity ® Series Commodity Strategy Fund
How to reset Safari on Mac
Barstool Sports Gif
Average Jonas Wife
Bj 사슴이 분수
Live Basketball Scores Flashscore
Satyaprem Ki Katha review: Kartik Aaryan, Kiara Advani shine in this pure love story on a sensitive subject
CLI Book 3: Cisco Secure Firewall ASA VPN CLI Configuration Guide, 9.22 - General VPN Parameters [Cisco Secure Firewall ASA]
Triumph Speed Twin 2025 e Speed Twin RS, nelle concessionarie da gennaio 2025 - News - Moto.it
Chelsea player who left on a free is now worth more than Palmer & Caicedo
OSRS Fishing Training Guide: Quick Methods To Reach Level 99 - Rune Fanatics
Nikki Catsouras Head Cut In Half
Craigslist Cars And Trucks Buffalo Ny
Hardly Antonyms
Jet Ski Rental Conneaut Lake Pa
Pwc Transparency Report
Crusader Kings 3 Workshop
Top Hat Trailer Wiring Diagram
Cincinnati Bearcats roll to 66-13 win over Eastern Kentucky in season-opener
zopiclon | Apotheek.nl
Bjork & Zhulkie Funeral Home Obituaries
House Party 2023 Showtimes Near Marcus North Shore Cinema
A rough Sunday for some of the NFL's best teams in 2023 led to the three biggest upsets: Analysis - NFL
How do I get into solitude sewers Restoring Order? - Gamers Wiki
Vipleaguenba
Unity - Manual: Scene view navigation
Wausau Marketplace
Espn Horse Racing Results
Xfinity Outage Map Fredericksburg Va
Hannaford Weekly Flyer Manchester Nh
Victory for Belron® company Carglass® Germany and ATU as European Court of Justice defends a fair and level playing field in the automotive aftermarket
Stickley Furniture
Rugged Gentleman Barber Shop Martinsburg Wv
Does Circle K Sell Elf Bars
Melissa N. Comics
123Moviestvme
Mega Millions Lottery - Winning Numbers & Results
Exploring TrippleThePotatoes: A Popular Game - Unblocked Hub
THE 10 BEST Yoga Retreats in Konstanz for September 2024
Tal 3L Zeus Replacement Lid
Bimmerpost version for Porsche forum?
How to Draw a Sailboat: 7 Steps (with Pictures) - wikiHow
Directions To Advance Auto
Brandon Spikes Career Earnings
boston furniture "patio" - craigslist
Zom 100 Mbti
Euro area international trade in goods surplus €21.2 bn
Walmart Listings Near Me
Enter The Gungeon Gunther
German American Bank Owenton Ky
Pauline Frommer's Paris 2007 (Pauline Frommer Guides) - SILO.PUB
Dinargurus
Latest Posts
What Is an AP Test Perfect Score? Do You Need One? · PrepScholar
Buying Property & Real Estate in Mexico: Your Step by Step Guide
Article information

Author: Msgr. Benton Quitzon

Last Updated:

Views: 6085

Rating: 4.2 / 5 (63 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Msgr. Benton Quitzon

Birthday: 2001-08-13

Address: 96487 Kris Cliff, Teresiafurt, WI 95201

Phone: +9418513585781

Job: Senior Designer

Hobby: Calligraphy, Rowing, Vacation, Geocaching, Web surfing, Electronics, Electronics

Introduction: My name is Msgr. Benton Quitzon, I am a comfortable, charming, thankful, happy, adventurous, handsome, precious person who loves writing and wants to share my knowledge and understanding with you.