Configure the YubiKey OTP authenticator (2024)

Table of Contents
Before you begin Add the YubiKey OTP authenticator Add YubiKey OTP to the authenticator enrollment policy Edit or delete the YubiKey OTP authenticator View YubiKey assignments and status Revoke a YubiKey Reassign a YubiKey End-user experience End-user tasks Enroll a YubiKey on a desktop browser Use YubiKey in OTP mode to sign in to a desktop browser Enroll YubiKey in the NFC mode on mobile devices Use the YubiKey OTP authenticator in the NFC mode Use the Security Key or Biometric Authenticator option Related topics FAQs

The YubiKey One-Time Passcode (OTP) authenticator is a hardware-protected and device-bound possession factor. End users press their YubiKey hard token to emit an OTP to securely sign in to their account.

YubiKey in the OTP mode isn't a phishing-resistant authenticator and doesn't use biometrics. If you want to use YubiKey as a phishing-resistant and biometric factor, see Configure the FIDO2 (WebAuthn) authenticator.

Before you begin

You need the following to configure the YubiKey OTP authenticator in Okta:

  • Yubico account with access to the YubiKey Personalization Tool.
  • YubiKey Seed file (also known as YubiKey OTP Secrets file) created using the tool. The file must be in the CSV format. Manually created Seed files may not work properly.

Add the YubiKey OTP authenticator

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Setup tab, click Add Authenticator.

  3. Click Add on the YubiKey OTP tile.
  4. Upload the YubiKey Seed file.

  5. Click Add. The authenticator appears in the list on the Setup tab.

    See Also
    Can Multi-Factor Authentication Be Hacked? | Expert InsightsSecurity Keys at Grammarly Part 1: Why We Moved from OTP to FIDO2 for Team Member AuthenticationYubiKey offline settings :: YubiOn Portal GuideTOTP vs. U2F: What’s the Difference? – Rublon

Add YubiKey OTP to the authenticator enrollment policy

In Authenticators, go to the Enrollment tab to add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.

Edit or delete the YubiKey OTP authenticator

Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.

  1. In Authenticators, go to the Setup tab.
  2. Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.

Deleting the YubiKey authenticator also deletes all YubiKeys used in OTP mode. It doesn't delete YubiKeys used in biometric mode.

View YubiKey assignments and status

Use the YubiKey OTP report to verify that the YubiKeys were added correctly. You can also view user assignments and the status of each YubiKey.

  1. In Authenticators, go to Setup YubiKey OTP Actions. Select YubiKey OTP Report.
  2. On the Reports page, use search to find the YubiKey to view its assignment and status.

A YubiKey can have one of the following statuses:

  • Unassigned: The end user hasn't yet enrolled their YubiKey.
  • Active: The end user has enrolled their YubiKey.
  • Revoked: The YubiKey was revoked.

Revoke a YubiKey

By revoking a YubiKey, you can decommission a YubiKey (for example, if it's lost or stolen) or remove its user assignment.

  1. In Authenticators, go to Setup YubiKey OTP Actions. Select YubiKey OTP Report.
  2. On the Reports page, find the YubiKey that you want to revoke and copy its serial number.
  3. Back in Actions, select Revoke YubiKey.
  4. Paste the serial number to find the YubiKey and click Revoke.

You can't delete a YubiKey that was assigned to a user. Even if you revoke or reassign it, it still appears in the YubiKey Report. You can't remove the serial number of an active YubiKey.

See Also
PIV slots

Reassign a YubiKey

To reassign a YubiKey to a different user, first reset the YubiKey authenticator for the original user.

  1. In the Admin Console, go to DirectoryPeople.

  2. Search for and click the person's name to open their profile.
  3. Click More Actions Reset Authenticators.
  4. Reset the YubiKey authenticator for the user.

Then, reassign the YubiKey to the new user.

  1. In Authenticators, go to Setup YubiKey OTP.
  2. Revoke the YubiKey you want to reassign.
  3. Reupload it using a seed file.
  4. Assign it to the new user.

Don't reassign a lost YubiKey if it was found later. Discard it and configure a new YubiKey for the user.

End-user experience

During the first sign-in flow, end users are prompted to set up the YubiKey OTP authenticator. After they enroll their YubiKey in Okta, they use it to sign in. Okta uses session counters with the YubiKey. The current OTP invalidates all previous ones. These OTPs may, however, still be valid for use on other websites.

Okta enforces a rate limit on unsuccessful authentication attempts from Okta-enrolled third-party OTP authenticators. These authenticators include Google Authenticator, Symantec VIP, and YubiKey OTP. The rate limit is a total of five unsuccessful attempts from any or all of these authenticators within a rolling five-minute period. When a user exceeds the rate limit, they can't sign in until the rate limit passes. These attempts are registered in the System Log.

End-user tasks

Give these instructions to your end users to help them configure YubiKey OTP as a security method.

Enroll a YubiKey on a desktop browser

When the end user receives their newly provisioned YubiKey, they can activate it as follows:

  1. Go to the org's sign-in page. Provide username and any other credentials requested.

  2. On the Set up security methods page, click Set up for the YubiKey OTP Authenticator. The Set up YubiKey OTP page appears.
  3. Insert the YubiKey and tap its button when prompted.
  4. Click Verify. The Set up security methods page appears.
  5. Click Finish.

Use YubiKey in OTP mode to sign in to a desktop browser

After the end user activates their YubiKey for OTP, they can use it for multifactor authentication when they sign in. During the sign-in process, when the Verify with YubiKey page appears, they insert the YubiKey. They tap its button when prompted, and then follow the instructions in the browser.

Enroll YubiKey in the NFC mode on mobile devices

End users can enroll YubiKey in NFC mode on mobile devices that support NFC.

  1. Sign in to Okta on a mobile device. The Set up multifactor authentication page appears.
  2. Tap Setup under Security Key or Biometric Authenticator, and then tap Enroll. The Sign In prompt appears.
  3. Tap Continue. When prompted, hold the YubiKey near the mobile device. The Set up multifactor authentication page appears.
  4. Tap Setup under YubiKey. The Setup YubiKey page appears. Hold the YubiKey near the mobile device.
  5. Press the side or top button on the device to close the page, and then tap the page to view notifications.
  6. Tap the Website NFC Tag notification. The YubiKey NFC page appears.
  7. Tap Copy to Clipboard and return to the browser where you were signing in.
  8. Tap and hold in the field, and then tap Paste.
  9. Tap Verify. The Set up multifactor authentication page appears.
  10. Tap Finish.

Use the YubiKey OTP authenticator in the NFC mode

End users can use YubiKey in the NFC mode to sign in on mobile devices that support NFC:

  1. Sign in to Okta on a mobile device.
  2. Tap the arrow menu beside the authenticator icon and select the YubiKey OTP authenticator. The YubiKey OTP page appears.
  3. Tap the Click here, and then tap your YubiKey field.
  4. Hold the YubiKey near the mobile device.
  5. Press the side or top button on the mobile device to close the page, and then tap the page to view notifications.
  6. Tap the Website NFC Tag notification. The YubiKey NFC page appears.
  7. Tap Copy to Clipboard and return to the browser where you were signing in.
  8. Tap and hold in the field, and then tap Paste.
  9. Tap Verify.

Use the Security Key or Biometric Authenticator option

End users can also use their YubiKey as a security key or biometric authenticator. This method uses the FIDO2 (WebAuthn) authenticator to sign in to mobile devices using the security key's NFC mode.

  1. Sign in to Okta on a mobile device.
  2. Tap the arrow menu beside the authenticator icon and select the Security Key or Biometric Authenticator option. The Security Key or Biometric Authenticator page appears.
  3. Tap Verify. The Sign In prompt appears.
  4. Hold the YubiKey near the mobile device and follow the instructions in the device.

Related topics

Multifactor authentication

Require phishing-resistant authentication with pre-enrolled YubiKey

Configure the YubiKey OTP authenticator (2024)

FAQs

How do I set up OTP on YubiKey? ›

Go to Settings > Authentication > YubiKey Configuration, then select Enable YubiKey OTP. Enter the client ID and secret key in the appropriate fields. This information is available in your YubiKey setup.

Read On
How do I set up YubiKey for authenticator? ›

Enroll a YubiKey on a desktop browser

On the Set up security methods page, click Set up for the YubiKey OTP Authenticator. The Set up YubiKey OTP page appears. Insert the YubiKey and tap its button when prompted. Click Verify.

Discover More Details
How do I set up OTP authenticator? ›

To register using QR code, use the authenticator app to scan the QR code displayed on the screen. To register manually, enter the secret displayed on the screen into your authenticator app. Once it is done, a different OTP will be generated on your app. Click Next.

Continue Reading
How many OTP codes can you have on YubiKey 5? ›

OATH-TOTP - the YubiKey 5's OATH application can hold up to 32 OATH-TOTP credentials (AKA authenticator codes). OTP - this application can hold two credentials, can be registered with an unlimited number of services.

See Details
How do I set up OTP verification? ›

How it works:
  1. User enters their phone number or email.
  2. App generates an authentication token.
  3. App sends the token via selected channel to the user.
  4. User enters the correct token.
  5. App verifies the token.

Find Out More
How do I set my OTP? ›

There are two ways to create OTPs. One way is through the use of smartphone apps like Google Authenticator, Authy, and Duo. The other way is to generate one-time passwords online using websites such as TOTP Generator.

Tell Me More
How do I manually set up authenticator? ›

Set up Google Authenticator for your Google Account
  1. On your Android device, go to your 2-Step Verification settings for your Google Account. You may need to sign in.
  2. Tap Set up authenticator. On some devices, tap Get Started.
  3. Follow the on-screen steps.

Show Me More
How do I use my YubiKey for the first time? ›

You can simply insert the key into the port on your device, press the button on the hardware, and you should be granted access if you are an authorized user of the account or device. With an NFC-enabled device, you can tap the YubiKey against the phone to complete authentication.

Explore More
How do I get a setup key for authenticator? ›

While setting up an authenticator app for 2FA you can view the setup key which we automatically generate as a QR code, but which can also be read in plain text by clicking on View setup key. It is sometimes also referred to as a "backup code" or "secret seed code".

Continue Reading
What is the OTP authenticator code? ›

For two-factor authentication, you need a six-digit OTP generated using a third-party app that you install on your mobile device. These apps go by several different names, like authenticator app, authentication app and OTP app.

Show Me More

What is OTP in authentication? ›

What does OTP mean? One-time password (OTP) systems provide a mechanism for logging on to a network or service using a unique password that can only be used once, as the name suggests.

Read The Full Story
How do I authenticate my Authenticator? ›

The authenticator app asks for a verification code as a test. From the Microsoft Authenticator app, scroll down to your work or school account, copy and paste the 6-digit code from the app into the Step 2: Enter the verification code from the mobile app box on your computer, and then select Verify.

See Details
Does YubiKey support OTP? ›

A Yubico OTP (one-time password) is a unique 44-character string that is generated by the YubiKey when it is touched ( while plugged into a host device over USB or Lightning) or scanned by an NFC reader.

Get More Info Here
Is YubiKey more secure than Authenticator app? ›

Authenticator apps provide a layer of security and are a convenient option for use by many, but they are still vulnerable to phishing due to the 30-second window. Security keys, like the YubiKey, are considered to be both more convenient and more secure. Yubico also provides a use in conjunction with the YubiKey.

Continue Reading
Can I use Yubico authenticator without a YubiKey? ›

The Yubico Authenticator application requires a YubiKey 5 Series to generate OTP codes.

View More
How do I set up OTP token? ›

Configure OTP Token With Google Authenticator
  1. Install Google Authenticator on your mobile device.
  2. Scan the QR code.
  3. Open the app. It shows you the one-time password that changes every 30 seconds.
  4. Open the facility which you have to use the one-time password for. ...
  5. Enter your credentials. ...
  6. Click the Login button.

View Details
Which YubiKey supports OTP? ›

Yubico OTP is a simple yet strong authentication mechanism that is supported by all YubiKeys out of the box. Yubico OTP can be used as the second factor in a 2-factor authentication scheme or on its own, providing 1-factor authentication.

See More
How do I auto create OTP tokens for users? ›

Auto-create OTP tokens for users: If selected, a QR code for configuring the mobile device software will be presented to the authorized users the next time they log in to the User Portal.

Learn More
How to install OTP keys? ›

You are the owner of a mobile device that connects to the Internet, and your administrator has completed How to Configure OTP.
  1. Download a mobile authenticator app to your device and open the application. ...
  2. On the login server, create a secret key. ...
  3. Type the displayed secret into the mobile authenticator.

Discover More Details
Top Articles
How to Organize Bills
Inspiring Money Story: Can resigning keep you earning?
Hotels
Loves Employee Pay Stub
Costco The Dalles Or
Klustron 9
Best Transmission Service Margate
His Lost Lycan Luna Chapter 5
Produzione mondiale di vino
Visustella Battle Core
Morgan Wallen Pnc Park Seating Chart
Echo & the Bunnymen - Lips Like Sugar Lyrics
charleston cars & trucks - by owner - craigslist
Peraton Sso
Craigslist Red Wing Mn
1773X To
Loves Employee Pay Stub
91 East Freeway Accident Today 2022
A Cup of Cozy – Podcast
Airline Reception Meaning
Current Students - Pace University Online
Promatch Parts
Evil Dead Rise - Everything You Need To Know
Busted! 29 New Arrests in Portsmouth, Ohio – 03/27/22 Scioto County Mugshots
Scat Ladyboy
Brenda Song Wikifeet
Flixtor Nu Not Working
Chase Bank Cerca De Mí
Morlan Chevrolet Sikeston
Everything You Need to Know About NLE Choppa
Blue Beetle Movie Tickets and Showtimes Near Me | Regal
Today's Final Jeopardy Clue
Autozone Locations Near Me
Hisense Ht5021Kp Manual
Srg Senior Living Yardi Elearning Login
Invalleerkracht [Gratis] voorbeelden van sollicitatiebrieven & expert tips
2700 Yen To Usd
Emily Tosta Butt
Www.craigslist.com Waco
Silicone Spray Advance Auto
4k Movie, Streaming, Blu-Ray Disc, and Home Theater Product Reviews & News
Mother Cabrini, the First American Saint of the Catholic Church
Costco The Dalles Or
Leland Westerlund
Adams-Buggs Funeral Services Obituaries
Okta Login Nordstrom
786 Area Code -Get a Local Phone Number For Miami, Florida
Immobiliare di Felice| Appartamento | Appartamento in vendita Porto San
Ret Paladin Phase 2 Bis Wotlk
Southern Blotting: Principle, Steps, Applications | Microbe Online
Latest Posts
A Complete Guide to Savings Goals - Part-Time Money
18 Amazing Money Saving Charts To Save BIG Every Year
Article information

Author: Tish Haag

Last Updated:

Views: 5811

Rating: 4.7 / 5 (67 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Tish Haag

Birthday: 1999-11-18

Address: 30256 Tara Expressway, Kutchburgh, VT 92892-0078

Phone: +4215847628708

Job: Internal Consulting Engineer

Hobby: Roller skating, Roller skating, Kayaking, Flying, Graffiti, Ghost hunting, scrapbook

Introduction: My name is Tish Haag, I am a excited, delightful, curious, beautiful, agreeable, enchanting, fancy person who loves writing and wants to share my knowledge and understanding with you.