In this article, I cover enablement of Yubikey USB security devices with Okta, using the following:
Yubikey 5 NFC
Security Key NFC
Contents
POC: Yubico “Yubikey 5 NFC”
Enrolment flow
Okta Administrator
End user
Login Flow
Re-assignment flow
POC: Yubico “Security Key NFC”
Enrolment Flow
Login Flow
Reset Pin Flow (Windows 10)
Okta Configuration
Yubikey devices are natively supported by Okta however the configuration needs to be enabled at the following location:
Okta Admin > Security > Multifactor > Yubikey > Active
In addition, the enrolment should be limited to a specific AD group (i.e. “Okta-Yubikey”) by creating a policy with the “Yubikey” and “Security Key” factors allowed, at the following location. This prevents users not in the AD group from being presented with the option to enrol Security Key or Yubikey devices:
Okta Admin > Security > Multifactor > Factor Enrollment
POC: Yubico “Yubikey 5 NFC”
Enrolment flow
Okta Administrator
Connect Yubikey 5 NFC USB to laptop and install/launch “Yubikey Personalization Tool”. From “Settings” change “Logging Settings” to “Yubico Format” and select “Enable Configuration export (experimental)”.
From “Yubico OTP” select “Advanced” then select either “configuration slot 1” or “configuration slot 2”
Using Configuration Slot 2 allows Slot 1 to be used with Yubico online services which is not needed for Okta.
“The first slot is used to generate the output when the YubiKey button is touched between 0.3 to 1.5 seconds and released and the second slot is used if the button is touched between 2 to 5 seconds.”
Select “Write Configuration”. If configuration Slot 1 is selected, select YES at the prompt.
This generates a CSV File. Login to Okta Admin UI and select Security > Multifactor > Yubikey > Browse > select the CSV File. Select Upload Seed File.
End User
User selects “Setup” under “Yubikey”
User presses (Y) on Yubikey device
Enrollment complete.
End user Login Flow
User logs in to Okta and when prompted, presses (Y) symbol on Yubikey:
Login complete.
Re-Assignment Flow
To re-assign the Yubikey for another user:
1) Reset the MFA Option for Yubikey for the user that currently is assigned the device.
2) Delete the seed for the Yubikey device from Okta (Security > Multifactor > Yubikey > Revoke Yubikey Seed > Enter the Yubikey serial number > Find Yubikey > Delete).
3) Create a new seed for the device using “Yubikey Personalization Tool” application & upload seed file as described earlier in this document.
4) End user to complete enrolment flow described previously in this document.
POC: Yubico “Security Key NFC”
Enrolment Flow
User selects “Setup” under “Security key or Biometric Authenticator”
User selects “Enroll”
User selects “OK”
User selects “OK”
User creates a PIN and selects “OK”
User touches (Y) on Yubikey USB device
Enrollment Complete.
End user Login Flow
User selects “Windows Hello or external security key”
User enters pin created during enrolment and selects “OK”
User touches (Y) on Yubikey USB device
Login complete.
Reset Pin Flow (Windows 10)
From “Start > Settings > Accounts > Sign in Options” under “Security Key” select “Manage”
Press (Y) on Yubikey, then select “Change” under “Security Key PIN”
Complete the fields on the form as indicated then select OK
Procedure complete.