The purpose of this document is to describe the process of manually configuring / programming the YubiKeys for use with Okta. This document will guide you through the set up and configuration process of the YubiKey Personalization Tool, programming YubiKeys, and the output / extraction of the OTP secrets which need to be uploaded to the Okta admin portal.
Yubico Custom Programming
Please note: for order quantities of 500 YubiKeys or more (per form factor), Yubico offers a custom programming service where you may have your entire order pre-programmed, and you will be provided an encrypted spreadsheet with the secrets files. This information and process is described in another document which may be provided upon request.
Configuring YubiKeys for Okta
YubiKey Personalization Tool installation
First, you will need to download and install the YubiKey Personalization Tool.
Operating systems supported:
Log output and export configuration
Next, configure the settings to allow for logging and output of the configuration, as well as the ability to export the .ycfg (yubikey configuration) file.
- Under “Logging Settings”, select “Settings” from the top navigation bar, then check “Log configuration output” and select “Yubico format” from the dropdown.
- Under “Application Settings”, select “enable configuration export and import”
Please see the image below for settings.
Yubico OTP Programming
Now you will select “Yubico OTP” from the top navigation bar, and configure as follows:
- Select “Advanced”
- Select “Configuration Slot”
- NOTE: Factory programmed YubiKeys come pre-programmed with Yubico OTP in Slot 1, which is synchronized with the YubiCloud for some services which natively support Yubico OTP via the cloud validation server. If you are planning on using the YubiCloud, be sure to select “Slot 2”
- Set “Yubico OTP Parameters” as shown in image below
- Click “Generate” in all three (3) sections
- Click “Write Configuration”
You should now receive a prompt to save the file output. Please save this in a safe location!
Programming for multiple YubiKeys
If you have more than one YubiKey to program, prior to selecting “Write Configuration”, Select “Program Multiple YubiKeys” In the image above, and also select “Automatically program YubiKeys when inserted”. This will allow you to simply insert one key, remove, then insert the next, repeatedly until all keys are programmed.
Note: For YubiKeys with serial numbers greater than 16777215, make sure to change the Parameter Generation Scheme to Increment Identity; Randomize Secrets - this will ensure all public identities are unique.
Yubico CSV format for secrets files
You should now have a CSV that was saved during the programming process, each YubiKey programmed will be added to the next row in the list for the entirety of the programming session. The following information will be present in the file:
- Column A: <serial_number>
- Column B: <public_identity>
- Column C: <private_identity>
- Column D: <AES_key>
- Column E: <access_code>
- Column F: <programming_timestamp>
Example output below:
YubiKey Secrets Upload - Okta Admin Portal
Next, you will need to log into the Okta admin portal and upload the entire CSV file.
Log in to Okta account. Via the Admin portal, navigate to “Security” > “Multifactor” > “YubiKey” > (“Enable” if needed) > “Browse” > Upload CSV file.
YubiKey Enrollment - Okta MFA Options
Now that all your YubiKeys have been imported successfully, your users should be able to enroll their YubiKey via the MFA options under their account as shown below: