Programming YubiKeys for Okta Adaptive MFA

Summary

The purpose of this article is to describe the process of manually configuring / programming YubiKeys for use with Okta. This article guides you through the setup and configuration process of YubiKey Personalization Tool, programming YubiKeys, and the output / extraction of the OTP secrets which need to be uploaded to the Okta admin portal.

Yubico custom programming

Tip: For order quantities of 500 YubiKeys or more, Yubico offers a custom programming service where you may have your entire order pre-programmed, and you will be provided an encrypted file that can be uploaded to Duo, avoiding the need to program the YubiKeys for Duo. This information and process is described in another document which may be provided upon request.

Configuring YubiKeys for Okta

YubiKey Personalization Tool installation

First, you will need to download and install YubiKey Personalization Tool. 

Operating systems supported:

• Windows
• Linux
• Mac

Log output and export configuration

Next, configure the settings to allow for logging and output of the configuration, as well as the ability to export the .ycfg (YubiKey configuration) file.

• Select Settings from the top navigation bar. In the Logging Settings, check Log configuration output and select Yubico format from the dropdown.
• Under Application Settings, select Enable configuration export and import

See the image below for settings.

Yubico OTP programming

Select Yubico OTP from the top navigation bar, and configure as follows:

1. Click Advanced
2. Select the Configuration Slot you want to program the Yubico OTP credential into (1 or 2)
   

    Tip: Factory programmed YubiKeys come pre-programmed with Yubico OTP in Slot 1, which is synchronized with YubiCloud for some services which natively support Yubico OTP via the cloud validation servers. If you are planning on using YubiCloud with other services, be sure to select Configuration Slot 2 when configuring for Duo. If this is done, however, users will need to long press (tap and hold for 3+ seconds) the YubiKey's capacitive touch sensor in order to generate the OTP for Duo.

3. Set Yubico OTP Parameters as shown in the image below
   • Click Generate in all three (3) sections
4. Click Write Configuration

You should now receive a prompt to save the file output. Save this to a safe location!

Programming multiple YubiKeys

If you have more than one YubiKey to program, prior to clicking Write Configuration, click the checkbox next to Program Multiple YubiKeys as shown in the image above, and also select Automatically program YubiKeys when inserted. This will allow you to simply insert one key, remove it, then insert the next YubiKey, repeatedly until all YubiKeys are programmed.

 Warning: For YubiKeys with serial numbers greater than 16777215, make sure to change the Parameter Generation Scheme to Increment Identity; Randomize Secrets - this will ensure all public identities are unique.

Yubico CSV format for secrets files

You should now have a CSV that was saved during the programming process. Each YubiKey programmed will be added to the next row in the list for the entirety of the programming session. The following information will be present in the file:

• Column A:  <serial_number>
• Column B:  <public_identity>
• Column C:  <private_identity>
• Column D:  <AES_key>
• Column E:  <access_code>
• Column F:  <programming_timestamp>

Example output below:

Okta Setup

YubiKey Secrets Upload - Okta Admin Portal 

Next, you will need to log into the Okta admin portal and upload the entire CSV file.

Log in to the Okta account.  Via the Admin portal, navigate to Security > Multifactor > YubiKey > (Enable if needed) > Browse > Upload CSV file.

YubiKey Enrollment - Okta MFA Options

Now that all of your YubiKeys have been imported successfully, your users should be able to enroll their YubiKey via the MFA options under their account as shown below: