Configure YubiKey for one-time passwords

A YubiKey is a brand of security key used as a physical multifactor authentication device. To use it, the user inserts the YubiKey into a USB port on their computer when they're signing in and taps the YubiKey's button when prompted. The YubiKey may provide a one-time password (OTP) or perform fingerprint (biometric) verification, depending on the type of YubiKey the user presents.

This topic provides instructions for setting up and managing YubiKeys using the one-time password mode. To set up and manage YubiKeys as biometric verification, see Configure a WebAuthn (FIDO2) authenticator.

YubiKey in OTP mode is not a phishing-resistant authenticator.

To set up your org to use YubiKeys to generate one-time passwords, you generate a .csv file of the YubiKeys that you'll import using a tool from YubiKey's maker, Yubico. Then, you activate the YubiKey authenticator and import the .csv file. End users will activate their YubiKeys themselves the next time they sign in to Okta.

Topics

Before you begin

Before you can enable the YubiKey authenticator for one-time password mode, you need to configure the YubiKeys and generate a YubiKey Seed File (also called a YubiKey Secrets File) using the YubiKey Personalization Tool. The YubiKey Seed File is a .csv that you upload into Okta to activate the YubiKeys. See Programming YubiKeys for Okta Adaptive Multi-Factor Authentication for instructions. When you have finished generating the YubiKey Seed File, save it to a secure location.

Do not create a YubiKey Seed File manually because you won't have the public and private key information to associate with each YubiKey, which may cause the YubiKeys to work improperly.

After you have configured the YubiKeys and uploaded the YubiKey Seed File to Okta, you can distribute the YubiKeys to your end users.

Activate the YubiKey authenticator and add YubiKeys

To activate this authenticator, you must add YubiKeys at the same time.

  1. In the Admin Console, go to Security > Authenticators.

  2. Click Add Authenticator.

  3. Click Add YubiKeys under the Add YubiKey option. The Add YubiKeys dialog appears.

  4. Click Browse beside the Upload YubiKey Seed File field. The file selector window appears.

  5. Select the YubiKey Seed File that you created using the YubiKey Personalization Tool and click Open.

  6. Click Upoad Seed File. The File uploaded confirmation message appears.

  7. Click Add. The Authenticators page appears, and the YubiKey Authenticator appears in the list.

View YubiKey user assignments and statuses

After you have added YubiKeys, you can check the YubiKey Report to verify that they were added correctly and view the status of each YubiKey.

  1. In the Admin Console, go to Security > Authenticators.

  2. On the Authenticators page, click Actions for the YubiKey authenticator and select YubiKey Report. The YubiKey Report page appears.

  3. Use the criteria under the Filters pane to customize your search.

  4. Review the status of each YubiKey in the Status column:

  • The status appears as UNASSIGNED until the end user enrolls their YubiKey.

  • Once the end user has enrolled their YubiKey, the status changes to ACTIVE.

  • When you revoke a YubiKey, the status changes to REVOKED.

Revoke YubiKeys

Revoking a YubiKey allows you to decommission a single YubiKey, such as when it has been reported as lost or stolen. In addition, revoking a YubiKey removes its association with the user to whom it was assigned.

  1. In the Admin Console, go to Security > Authenticators.

  2. On the Authenticators page, click Actions for the YubiKey authenticator and select YubiKey Report. The YubiKey Report page appears.

  3. Use the criteria under the Filters pane to customize your search.

  4. When you have found the YubiKey you want to revoke, select its serial number and copy it to the clipboard.

  5. Go to Security > Authenticators.

  6. Click Actions for the YubiKey authenticator and select Revoke YubiKey. The Revoke YubiKey page appears.

  7. Paste the serial number into the YubiKey serial number field and click Find. Information about the YubiKey appears.

  8. Click Revoke. The confirmation message appears.

  9. Click Close.

Delete the YubiKey authenticator

Deleting the YubiKey authenticator will also delete all YubiKeys used for one-time password mode; it doesn't delete YubiKeys used in biometric mode. This action can't be undone.

  1. In the Admin Console, go to Security > Authenticators.

  2. Click Actions for the YubiKey authenticator and select Delete. The Delete YubiKey Authenticator prompt appears.

  3. Click Delete.

End user experience: enroll a YubiKey for the first time

When the end user receives their newly provisioned YubiKey, they can activate it themselves by doing the following:

  1. Sign in to Okta.

  2. On the Set up security methods page of the Sign-In Widget, click Set up under YubiKey Authenticator. The Set up YubiKey page appears.

  3. Insert the YubiKey and tap its button when prompted.

  4. Click Verify. The Set up security methods page appears.

  5. Click Finish.

End user experience: use YubiKey at subsequent sign-ons

  1. After the end user has activated their YubiKey, they can use it for multifactor authentication at subsequent sign-ons:

  2. Sign in to Okta.

  3. When the Verify with YubiKey page appears, insert the YubiKey and tap its button when prompted.

All previously issued OTPs are invalidated by the OTP you provide to Okta when you sign in with a YubiKey in OTP mode because Okta uses session counters with YubiKeys. These OTPs may, however, still be valid for use on other websites.

Related topics

Multifactor Authentication

Configure a WebAuthn (FIDO2) authenticator