YubiKeys for Axiad - Manual Configuration / Programming Process

Summary

The purpose of this document is to describe the process of manually configuring / programming the YubiKeys for use with Axiad. This document will guide you through the set up and configuration process of the YubiKey Personalization Tool, programming of the YubiKeys, and output / extraction of the OTP secrets which need to be uploaded to the Axiad admin portal.

Yubico Custom Programming

Please note: for order quantities of 500 YubiKeys or more, Yubico offers a custom programming service where you may have your entire order pre-programmed, and Axiad will be provided an encrypted spreadsheet with the secrets files. This information and process is described in another document which may be provided upon request.

Configuring YubiKeys for Axiad

YubiKey Personalization Tool installation

First, you will need to download and install the YubiKey Personalization Tool.

https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/ 

Operating systems supported:

• Windows
• Linux
• Mac

Log output and export configuration

Next, configure the settings to allow for logging and output of the configuration, as well as the ability to export the .ycfg (yubikey configuration) file.

• Under “Logging Settings”, select “Settings” from the top navigation bar, then check “Log configuration output” and select “Yubico format” from the dropdown.
• Under “Application Settings”, select “enable configuration export and import”

Please see the image below for settings.

OATH-HOTP Programming

Now you will select “OATH-HOTP” from the top navigation bar, and configure as follows:

• Select “Advanced”
• Select “Configuration Slot” 
  • NOTE:  Factory programmed YubiKeys come pre-programmed with Yubico OTP in Slot 1, which is synchronized with the YubiCloud for some services which natively support Yubico OTP via the cloud validation server.  If you are planning on using the YubiCloud, be sure to select “Slot 2”
• Set “OATH-HOTP” as shown in image below
  • OATH Token Identifier: This should be unchecked
  • HOTP Length: 8 Digits
  • Moving Factor Seed: Fixed Zero: 0
  • Secret Key: Select Generate
  • Configuration Protection
    • YubiKey(s) unprotected - Enabled Protection
    • New Access Code: Define a random 6 byte code (recommend using serial number, as shown in image below)
  • Click “Write Configuration”

You should now receive a prompt to save the file output.  Please save this in a safe location! The YubiKeys are now programmed correctly for Axiad. The next step is to upload the seeds in Axiad.

Programming for multiple YubiKeys

If you have more than one YubiKey to program, prior to selecting “Write Configuration”, Select “Program Multiple YubiKeys” In the image above, and also select “Automatically program YubiKeys when inserted”. This will allow you to simply insert one key, remove, then insert the next, repeatedly until all keys are programmed.

Yubico CSV format for secrets files

You should now have a CSV that was saved during the programming process, each YubiKey programmed will be added to the next row in the list for the entirety of the programming session.  The following information will be present in the file:

• Column A:  <serial_number>
• Column B:  <public_identity>
• Column C:  <moving factor seed>
• Column D:  <AES_key>
• Column E:  <access_code>
• Column F:  <programming_timestamp>

Example output below (please note these are examples, not real seed files, your output will vary slightly):

Uploading Seeds into Axiad

For the YubiKeys to be recognized by Axiad, the generated CSV file with the associated seeds needs to be uploaded into the Axiad Portal. Please work with your Axiad representative for guidance on how to securely share this information.