Configure YubiKey OTP for one-time passwords

A YubiKey is a brand of security key used as a physical multifactor authentication device. To use it, the user inserts the YubiKey into a USB port on their computer when they're signing in and taps the YubiKey's button when prompted. The YubiKey may provide a one-time password (OTP) or perform fingerprint (biometric) verification, depending on the type of YubiKey the user presents.

This topic provides instructions for setting up and managing YubiKeys using the one-time password mode. To set up and manage YubiKeys as biometric verification, see Configure a FIDO2 (WebAuthn) authenticator.

YubiKey in OTP mode is not a phishing-resistant authenticator.

To set up your org to use YubiKeys to generate one-time passwords, you generate a .csv file of the YubiKeys that you'll import using a tool from YubiKey's maker, Yubico. Then, you activate the YubiKey OTP authenticator and import the .csv file. End users will activate their YubiKeys themselves the next time they sign in to Okta.

Topics

Before you begin

Before you can enable the YubiKey OTP authenticator for one-time password mode, you need to configure the YubiKeys and generate a YubiKey Seed File (also called a YubiKey Secrets File) using the YubiKey Personalization Tool. The YubiKey Seed File is a .csv that you upload into Okta to activate the YubiKeys. See Programming YubiKeys for Okta Adaptive Multi-Factor Authentication for instructions. When you have finished generating the YubiKey Seed File, save it to a secure location.

Do not create a YubiKey Seed File manually because you won't have the public and private key information to associate with each YubiKey, which may cause the YubiKeys to work improperly.

After you have configured the YubiKeys and uploaded the YubiKey Seed File to Okta, you can distribute the YubiKeys to your end users.

Activate the YubiKey OTP authenticator and add YubiKeys

To activate this authenticator, you must add YubiKeys at the same time.

  1. In the Admin Console, go to Security > Authenticators.
  2. Click Add Authenticator.
  3. Click Add YubiKeys under the Add YubiKey OTP option. The Add YubiKey dialog appears.
  4. Click Browse beside the Upload YubiKey Seed File field. The file selector window appears.
  5. Select the YubiKey Seed File that you created using the YubiKey Personalization Tool and click Open.
  6. Click Upload Seed File. The File uploaded confirmation message appears.
  7. Click Add. The Authenticators page appears, and the YubiKey OTP authenticator appears in the list.

View YubiKey user assignments and statuses

After you have added YubiKeys, you can check the YubiKey Report to verify that they were added correctly and view the status of each YubiKey.

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Authenticators page, click Actions for the YubiKey OTP authenticator and select YubiKey OTP Report. The YubiKey OTP Report page appears.
  3. Use the criteria under the Filters pane to customize your search.
  4. Review the status of each YubiKey in the Status column:
  • The status appears as UNASSIGNED until the end user enrolls their YubiKey.
  • Once the end user has enrolled their YubiKey, the status changes to ACTIVE.
  • When you revoke a YubiKey, the status changes to REVOKED.

Revoke YubiKeys

Revoking a YubiKey allows you to decommission a single YubiKey, such as when it has been reported as lost or stolen. In addition, revoking a YubiKey removes its association with the user to whom it was assigned.

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Authenticators page, click Actions for the YubiKey authenticator and select YubiKey OTP Report. The YubiKey OTP Report page appears.
  3. Use the criteria under the Filters pane to customize your search.
  4. When you have found the YubiKey you want to revoke, select its serial number and copy it to the clipboard.
  5. Go to Security > Authenticators.
  6. Click Actions for the YubiKey OTP authenticator and select Revoke YubiKey. The Revoke YubiKey page appears.
  7. Paste the serial number into the YubiKey serial number field and click Find. Information about the YubiKey appears.
  8. Click Revoke. The confirmation message appears.
  9. Click Close.

Delete the YubiKey OTP authenticator

Deleting the YubiKey authenticator will also delete all YubiKeys used for one-time password mode; it doesn't delete YubiKeys used in biometric mode. This action can't be undone.

  1. In the Admin Console, go to Security > Authenticators.
  2. Click Actions for the YubiKey authenticator and select Delete. The Delete YubiKey OTP Authenticator prompt appears.
  3. Click Delete.

End user experience

Enroll a YubiKey for the first time on a desktop browser

When the end user receives their newly provisioned YubiKey, they can activate it themselves by doing the following:

  1. Sign in to Okta.
  2. On the Set up security methods page of the Sign-In Widget, click Set up under YubiKey OTP Authenticator. The Set up YubiKey OTP page appears.
  3. Insert the YubiKey and tap its button when prompted.
  4. Click Verify. The Set up security methods page appears.
  5. Click Finish.

Use YubiKey in OTP mode at subsequent desktop browser sign-ons

After the end user has activated their YubiKey for one-time passwords, they can use it for multifactor authentication at subsequent sign-ons:

  1. Sign in to Okta.
  2. When the Verify with YubiKey page appears, insert the YubiKey and tap its button when prompted.

All previously issued OTPs are invalidated by the OTP you provide to Okta when you sign in with a YubiKey in OTP mode because Okta uses session counters with YubiKeys. These OTPs may, however, still be valid for use on other websites.

Enroll YubiKey in NFC mode on iOS devices

You can enroll YubiKey in NFC mode on iOS devices that support NFC.

  1. Sign in to Okta on an iOS device. The Set up multifactor authentication screen appears.
  2. Tap Setup under Security Key or Biometric Authenticator, then tap Enroll. The Sign In prompt appears.
  3. Tap Continue. When prompted, hold the YubiKey near the top of the iOS device. The Set up multifactor authentication screen appears.
  4. Tap Setup under YubiKey. The Setup YubiKey screen appears.
  5. Hold the YubiKey near the top of the iOS device.
  6. Press the side or top button on the iOS device to close the screen, then tap the screen to view notifications. Tap the Website NFC Tag notification. The YubiKey NFC screen appears.
  7. Tap Copy to Clipboard, and return to the browser where you were signing in.
  8. Tap and hold in the field and tap Paste.
  9. Tap Verify. The Set up multifactor authentication screen appears.
  10. Tap Finish. You are signed in to Okta.

Use the YubiKey OTP authenticator in NFC mode

You can use YubiKey in NFC mode to sign in on iOS devices that support NFC:

  1. Sign in to Okta on an iOS device.
  2. Tap the arrow menu beside the authenticator icon and select the YubiKey OTP authenticator.
  3. The YubiKey OTP screen appears.
  4. Tap in the Click here, then tap your YubiKey field.
  5. Hold the YubiKey near the top of the iOS device.
  6. Press the side or top button on the iOS device to close the screen, then tap the screen to view notifications. Tap the Website NFC Tag notification. The YubiKey NFC screen appears.
  7. Tap Copy to Clipboard, and return to the browser where you were signing in.
  8. Tap and hold in the field and tap Paste.
  9. Tap Verify. You are signed in to Okta.

Use the Security Key or Biometric Authenticator option

You can select the Security Key or Biometric Authenticator option, which uses the WebAuthn (FIDO2) authenticator, to use a YubiKey in NFC mode to sign in on iOS devices that support NFC:

  1. Sign in to Okta on an iOS device.
  2. Tap the arrow menu beside the authenticator icon and select the Security Key or Biometric Authenticator option. The Security Key or Biometric Authenticator screen appears.
  3. Tap Verify. The Sign In prompt appears.
  4. Hold the YubiKey near the top of the iOS device. You are signed in to Okta.

Related topics

Multifactor Authentication

Configure a FIDO2 (WebAuthn) authenticator