Programming YubiKeys for Okta Adaptive Multi-Factor Authentication


Summary

The purpose of this document is to describe the process of manually configuring / programming the YubiKeys for use with Okta. This document will guide you through the set up and configuration process of the YubiKey Personalization Tool, programming YubiKeys, and the output / extraction of the OTP secrets which need to be uploaded to the Okta admin portal.

Yubico Custom Programming

Please note: for order quantities of 500 YubiKeys or more (per form factor), Yubico offers a custom programming service where you may have your entire order pre-programmed, and you will be provided an encrypted spreadsheet with the secrets files. This information and process is described in another document which may be provided upon request.

Configuring YubiKeys for Okta

YubiKey Personalization Tool installation

First, you will need to download and install the YubiKey Personalization Tool.

https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/ 

Operating systems supported:

  • Windows
  • Linux
  • Mac

Log output and export configuration

Next, configure the settings to allow for logging and output of the configuration, as well as the ability to export the .ycfg (yubikey configuration) file.

  • Under “Logging Settings”, select “Settings” from the top navigation bar, then check “Log configuration output” and select “Yubico format” from the dropdown.
  • Under “Application Settings”, select “enable configuration export and import”

Please see the image below for settings.
1.png

Yubico OTP Programming

Now you will select “Yubico OTP” from the top navigation bar, and configure as follows:

  • Select “Advanced”
  • Select “Configuration Slot” 
    • NOTE:  Factory programmed YubiKeys come pre-programmed with Yubico OTP in Slot 1, which is synchronized with the YubiCloud for some services which natively support Yubico OTP via the cloud validation server.  If you are planning on using the YubiCloud, be sure to select “Slot 2”
  • Set “Yubico OTP Parameters” as shown in image below
    • Click “Generate” in all three (3) sections
    • Click “Write Configuration”
      2.png

You should now receive a prompt to save the file output.  Please save this in a safe location!

Programming for multiple YubiKeys

If you have more than one YubiKey to program, prior to selecting “Write Configuration”, Select “Program Multiple YubiKeys” In the image above, and also select “Automatically program YubiKeys when inserted”. This will allow you to simply insert one key, remove, then insert the next, repeatedly until all keys are programmed.

Note: For YubiKeys with serial numbers greater than 16777215, make sure to change the Parameter Generation Scheme to Increment Identity; Randomize Secrets - this will ensure all public identities are unique.

 

Yubico CSV format for secrets files

You should now have a CSV that was saved during the programming process, each YubiKey programmed will be added to the next row in the list for the entirety of the programming session.  The following information will be present in the file:

  • Column A:  <serial_number>
  • Column B:  <public_identity>
  • Column C:  <private_identity>
  • Column D:  <AES_key>
  • Column E:  <access_code>
  • Column F:  <programming_timestamp>

Example output below:
3.png

Okta Setup

YubiKey Secrets Upload - Okta Admin Portal 

Next, you will need to log into the Okta admin portal and upload the entire CSV file.

Log in to Okta account.  Via the Admin portal, navigate to “Security” > “Multifactor” > “YubiKey” > (“Enable” if needed) > “Browse” > Upload CSV file.
4.png

YubiKey Enrollment - Okta MFA Options

Now that all your YubiKeys have been imported successfully, your users should be able to enroll their YubiKey via the MFA options under their account as shown below:
5.jpg
6.jpg