Configure the YubiKey OTP authenticator

The YubiKey One-Time Passcode (OTP) authenticator is a hardware-protected and device-bound possession factor. End users press their YubiKey hard token to emit an OTP to securely sign in to their account.

YubiKey in the OTP mode isn't a phishing-resistant authenticator and doesn’t use biometrics. If you want to use YubiKey as a phishing-resistant and biometric factor, see Configure the FIDO2 (WebAuthn) authenticator.

Before you begin

You need the following to configure the YubiKey OTP authenticator in Okta:

  • Yubico account with access to the YubiKey Personalization Tool.
  • YubiKey Seed file (also known as YubiKey OTP Secrets file) created using the tool. The file must be in the CSV format. Manually created Seed files may not work properly.

Add the YubiKey OTP authenticator

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Setup tab, click Add Authenticator.

  3. Click Add on the YubiKey OTP tile.
  4. Upload the YubiKey Seed file.

  5. Click Add. The authenticator appears in the list on the Setup tab.

Add YubiKey OTP to the authenticator enrollment policy

In Authenticators, go to the Enrollment tab to add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.

Edit or delete the YubiKey OTP authenticator

Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.

  1. In Authenticators, go to the Setup tab.
  2. Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.

Deleting the YubiKey authenticator also deletes all YubiKeys used in OTP mode. It doesn't delete YubiKeys used in biometric mode.

View YubiKey assignments and status

Use the YubiKey OTP report to verify that the YubiKeys were added correctly. You can also view user assignments and the status of each YubiKey.

  1. In Authenticators, go to Setup YubiKey OTP Actions. Select YubiKey OTP Report.
  2. On the Reports page, use search to find the YubiKey to view its assignment and status.

A YubiKey can have one of the following statuses:

  • Unassigned: The end user hasn’t yet enrolled their YubiKey.
  • Active: The end user has enrolled their YubiKey.
  • Revoked: The YubiKey was revoked.

Revoke a YubiKey

By revoking a YubiKey, you can decommission a YubiKey (for example, if it’s lost or stolen) or remove its user assignment.

  1. In Authenticators, go to Setup YubiKey OTP Actions. Select YubiKey OTP Report.
  2. On the Reports page, find the YubiKey that you want to revoke and copy its serial number.
  3. Back in Actions, select Revoke YubiKey.
  4. Paste the serial number to find the YubiKey and click Revoke.

You can't delete a YubiKey that was assigned to a user. Even if you revoke or reassign it, it still appears in the YubiKey Report. You can't remove the serial number of an active YubiKey.

Reassign a YubiKey

To reassign a YubiKey to a different user, first reset the YubiKey authenticator for the original user.

  1. In the Admin Console, go to DirectoryPeople.

  2. Search for and click the person's name to open their profile.
  3. Click More Actions Reset Authenticators.
  4. Reset the YubiKey authenticator for the user.

Then, reassign the YubiKey to the new user.

  1. In Authenticators, go to Setup YubiKey OTP.
  2. Revoke the YubiKey you want to reassign.
  3. Reupload it using a seed file.
  4. Assign it to the new user.

Don't reassign a lost YubiKey if it was found later. Discard it and configure a new YubiKey for the user.

End-user experience

During the first sign-in flow, end users are prompted to set up the YubiKey OTP authenticator. After they enroll their YubiKey in Okta, they use it to sign in. Okta uses session counters with the YubiKey. The current OTP invalidates all previous ones. These OTPs may, however, still be valid for use on other websites.

Okta enforces a rate limit on unsuccessful authentication attempts from Okta-enrolled third-party OTP authenticators. These authenticators include Google Authenticator, Symantec VIP, and YubiKey OTP. The rate limit is a total of five unsuccessful attempts from any or all of these authenticators within a rolling five-minute period. When a user exceeds the rate limit, they can’t sign in until the rate limit passes. These attempts are registered in the System Log.

End-user tasks

Give these instructions to your end users to help them configure YubiKey OTP as a security method.

Enroll a YubiKey on a desktop browser

When the end user receives their newly provisioned YubiKey, they can activate it as follows:

  1. Go to the org's sign-in page. Provide username and any other credentials requested.

  2. On the Set up security methods page, click Set up for the YubiKey OTP Authenticator. The Set up YubiKey OTP page appears.
  3. Insert the YubiKey and tap its button when prompted.
  4. Click Verify. The Set up security methods page appears.
  5. Click Finish.

Use YubiKey in OTP mode to sign in to a desktop browser

After the end user activates their YubiKey for OTP, they can use it for multifactor authentication when they sign in. During the sign-in process, when the Verify with YubiKey page appears, they insert the YubiKey. They tap its button when prompted, and then follow the instructions in the browser.

Enroll YubiKey in the NFC mode on mobile devices

End users can enroll YubiKey in NFC mode on mobile devices that support NFC.

  1. Sign in to Okta on a mobile device. The Set up multifactor authentication page appears.
  2. Tap Setup under Security Key or Biometric Authenticator, and then tap Enroll. The Sign In prompt appears.
  3. Tap Continue. When prompted, hold the YubiKey near the mobile device. The Set up multifactor authentication page appears.
  4. Tap Setup under YubiKey. The Setup YubiKey page appears. Hold the YubiKey near the mobile device.
  5. Press the side or top button on the device to close the page, and then tap the page to view notifications.
  6. Tap the Website NFC Tag notification. The YubiKey NFC page appears.
  7. Tap Copy to Clipboard and return to the browser where you were signing in.
  8. Tap and hold in the field, and then tap Paste.
  9. Tap Verify. The Set up multifactor authentication page appears.
  10. Tap Finish.

Use the YubiKey OTP authenticator in the NFC mode

End users can use YubiKey in the NFC mode to sign in on mobile devices that support NFC:

  1. Sign in to Okta on a mobile device.
  2. Tap the arrow menu beside the authenticator icon and select the YubiKey OTP authenticator. The YubiKey OTP page appears.
  3. Tap the Click here, and then tap your YubiKey field.
  4. Hold the YubiKey near the mobile device.
  5. Press the side or top button on the mobile device to close the page, and then tap the page to view notifications.
  6. Tap the Website NFC Tag notification. The YubiKey NFC page appears.
  7. Tap Copy to Clipboard and return to the browser where you were signing in.
  8. Tap and hold in the field, and then tap Paste.
  9. Tap Verify.

Use the Security Key or Biometric Authenticator option

End users can also use their YubiKey as a security key or biometric authenticator. This method uses the FIDO2 (WebAuthn) authenticator to sign in to mobile devices using the security key's NFC mode.

  1. Sign in to Okta on a mobile device.
  2. Tap the arrow menu beside the authenticator icon and select the Security Key or Biometric Authenticator option. The Security Key or Biometric Authenticator page appears.
  3. Tap Verify. The Sign In prompt appears.
  4. Hold the YubiKey near the mobile device and follow the instructions in the device.

Related topics

Multifactor authentication

Onboard users with pre-enrolled YubiKey