YubiKeys for Axiad: Manual configuration / programming process

Summary

The purpose of this article is to describe the process of manually configuring / programming YubiKeys for use with Axiad. This article will guide you through the setup and configuration process of YubiKey Personalization Tool, programming YubiKeys, and output / extraction of the OTP secrets which need to be uploaded to the Axiad admin portal.

Yubico custom programming

Tip: For order quantities of 500 YubiKeys or more, Yubico offers a custom programming service where you may have your entire order pre-programmed, and you will be provided an encrypted file that can be uploaded to Duo, avoiding the need to program the YubiKeys for Duo. This information and process is described in another document which may be provided upon request.

Configuring YubiKeys for Axiad

YubiKey Personalization Tool installation

First, you will need to download and install YubiKey Personalization Tool. 

Operating systems supported:

• Windows
• Linux
• Mac

Log output and export configuration

Next, configure the settings to allow for logging and output of the configuration, as well as the ability to export the .ycfg (YubiKey configuration) file.

• Select Settings from the top navigation bar. In the Logging Settings, check Log configuration output and select Yubico format from the dropdown.
• Under Application Settings, select Enable configuration export and import

See the image below for settings.

OATH-HOTP programming

Select OATH-HOTP from the top navigation bar, and configure as follows:

1. Click Advanced
2. Select the Configuration Slot you want to program the OATH-HOTP credential into (1 or 2)
   

    Tip: Factory programmed YubiKeys come pre-programmed with Yubico OTP in Slot 1, which is synchronized with YubiCloud for some services which natively support Yubico OTP via the cloud validation servers. If you are planning on using YubiCloud with other services, be sure to select Configuration Slot 2 when configuring for Duo. If this is done, however, users will need to long press (tap and hold for 3+ seconds) the YubiKey's capacitive touch sensor in order to generate the OTP for Duo.

3. Ensure OATH Token Identifier remains unchecked
4. Set the HOTP Length to 8 Digits
5. Set the Moving Factor Seed to Fixed zero
6. Next to Secret Key (20 bytes Hex), click the Generate button
7. (Optional) If you want to prevent users from overwriting or deleting the OATH-HOTP credential you are programming, under Configuration Protection (6 bytes Hex), click the dropdown arrow and select YubiKey(s) unprotected - Enable protection, and then under New Access Code, choose one of the following options:
   1. Click the box next to Use Serial Number - This option is good for preventing accidental deletion of the credential, but is not ideal if you're concerned with users attempting to make malicious changes to the YubiKey.
   2. Create a custom 12 digit configuration process access code and enter it into the New Access Code field, but ensure you're storing this information in a safe place. This option will prevent any accidental (or intentional) changes to the YubiKey's OTP slot configuration, but note that if the configuration protection access code is lost, no changes can ever be made to the OTP slot you're configuring on this YubiKey (not only can the configuration on this slot not be changed if you lose the configuration protection access code, but the two configuration slots cannot be swapped, and the OTP application on the YubiKey can no longer be disabled).
8. Click Write Configuration

You should now receive a prompt to save the file output.  Save this in a safe location! The YubiKeys are now programmed correctly for Axiad. The next step is to upload the seeds into Axiad.

Programming multiple YubiKeys

If you have more than one YubiKey to program, prior to clicking Write Configuration, click the checkbox next to Program Multiple YubiKeys, and also select Automatically program YubiKeys when inserted. This will allow you to simply insert one key, remove it, then insert the next YubiKey, repeatedly until all YubiKeys are programmed.

Yubico CSV format for secrets files

ou should now have a CSV that was saved during the programming process. Each YubiKey programmed will be added to the next row in the list for the entirety of the programming session. The following information will be present in the file:

• Column A:  <serial_number>
• Column B:  <public_identity>
• Column C:  <moving factor seed>
• Column D:  <AES_key>
• Column E:  <access_code>
• Column F:  <programming_timestamp>

Example output below:

Uploading seeds into Axiad

For the YubiKeys to be recognized by Axiad, the generated CSV file with the associated seeds needs to be uploaded into the Axiad portal. Work with your Axiad representative for guidance on how to securely share this information.