Configure the YubiKey OTP authenticator

A YubiKey is a brand of security key used as a physical multifactor authentication device. To use it, the user inserts the YubiKey into a USB port on their computer when they're signing in and taps the YubiKey's button when prompted. The YubiKey may provide a one-time password (OTP) or perform fingerprint (biometric) verification, depending on the type of YubiKey the user presents.

This topic provides instructions for setting up and managing YubiKeys using the OTP mode. To use YubiKeys for biometric verification, see Configure the FIDO2 (WebAuthn) authenticator.

To use this authenticator, generate a .csv file of the YubiKeys that you import using a tool from YubiKey's maker, Yubico. Then, activate the YubiKey OTP authenticator and import the .csv file. Users activate their YubiKeys the next time they sign in to Okta.

YubiKey in OTP mode isn't a phishing-resistant authenticator.

Topics

Before you begin

Before you can enable the YubiKey OTP authenticator, you need to configure the YubiKeys and generate a YubiKey OTP secrets file (also known as the YubiKey Seed File) using the YubiKey Personalization Tool. The YubiKey OTP secrets file is a .csv that you upload into Okta to activate the YubiKeys. See Programming YubiKeys for Okta Adaptive Multi-Factor Authentication for instructions. When you have finished generating the YubiKey OTP secrets file, save it to a secure location.

Don't create a YubiKey OTP secrets file manually. Only the YubiKey Personalization Tool can populate the public and private key information for each YubiKey. If this information is missing, the YubiKeys may not work properly.

After you've configured the YubiKeys and uploaded the YubiKey OTP secrets file to Okta, you can distribute the YubiKeys to your end users.

Activate the YubiKey OTP authenticator and add YubiKeys

To activate this authenticator, you must add YubiKeys at the same time.

  1. In the Admin Console, go to SecurityAuthenticators.
  2. Click Add Authenticator.
  3. Click Add YubiKeys under the Add YubiKey OTP option. The Add YubiKey dialog appears.
  4. Click Browse beside the Upload YubiKey Seed File field. The file selector window appears.
  5. Select the YubiKey Seed File that you created using the YubiKey Personalization Tool, and click Open.
  6. Click Upload Seed File. The confirmation message appears.
  7. Click Add. The Authenticators page appears, and the YubiKey OTP authenticator appears in the list.

View YubiKey user assignments and statuses

After you have added YubiKeys, you can check the YubiKey report to verify that they were added correctly and view the status of each YubiKey.

  1. In the Admin Console, go to SecurityAuthenticators.
  2. On the Authenticators page, click Actions for the YubiKey OTP authenticator and select YubiKey OTP Report. The YubiKey OTP Report page appears.
  3. Use the criteria under the Filters pane to customize your search.
  4. Review the status of each YubiKey in the Status column:
    • The status appears as UNASSIGNED until the end user enrolls their YubiKey.
    • Once the end user has enrolled their YubiKey, the status changes to ACTIVE.
    • When you revoke a YubiKey, the status changes to REVOKED.

Revoke YubiKeys

Revoking a YubiKey allows you to decommission a single YubiKey, such as when it has been reported as lost or stolen. In addition, revoking a YubiKey removes its association with the user to whom it was assigned.

  1. In the Admin Console, go to SecurityAuthenticators.
  2. On the Authenticators page, click Actions for the YubiKey authenticator and select YubiKey OTP Report. The YubiKey OTP Report page appears.
  3. Use the criteria under the Filters pane to customize your search.
  4. When you find the YubiKey you want to revoke, select its serial number and copy it to the clipboard.
  5. Go to Security > Authenticators.
  6. Click Actions for the YubiKey OTP authenticator and select Revoke YubiKey. The Revoke YubiKey page appears.
  7. Paste the serial number into the YubiKey serial number field and click Find. Information about the YubiKey appears.
  8. Click Revoke. The confirmation message appears.
  9. Click Close.

Delete the YubiKey OTP authenticator

Deleting the YubiKey authenticator also deletes all YubiKeys used for one-time password mode. It doesn't delete YubiKeys used in biometric mode. This action can't be undone.

  1. In the Admin Console, go to SecurityAuthenticators.
  2. Click Actions for the YubiKey authenticator and select Delete. The Delete YubiKey OTP Authenticator prompt appears.
  3. Click Delete.

End-user experience

Enroll a YubiKey for the first time on a desktop browser

When the end user receives their newly provisioned YubiKey, they can activate it themselves by doing the following:

  1. Sign in to Okta.
  2. On the Set up security methods page of the Sign-In Widget, click Set up under YubiKey OTP Authenticator. The Set up YubiKey OTP page appears.
  3. Insert the YubiKey and tap its button when prompted.
  4. Click Verify. The Set up security methods page appears.
  5. Click Finish.

Use YubiKey in OTP mode at subsequent desktop browser sign-ons

After the end user has activated their YubiKey for one-time passwords, they can use it for multifactor authentication at subsequent sign-ons:

  1. Sign in to Okta.
  2. When the Verify with YubiKey page appears, insert the YubiKey and tap its button when prompted.

Okta uses session counters with YubiKeys. Your current OTP invalidates all previous ones. These OTPs may, however, still be valid for use on other websites.

Enroll YubiKey in NFC mode on iOS devices

You can enroll YubiKey in NFC mode on iOS devices that support NFC.

  1. Sign in to Okta on an iOS device. The Set up multifactor authentication page appears.
  2. Tap Setup under Security Key or Biometric Authenticator, then tap Enroll. The Sign In prompt appears.
  3. Tap Continue. When prompted, hold the YubiKey near the top of the iOS device. The Set up multifactor authentication page appears.
  4. Tap Setup under YubiKey. The Setup YubiKey page appears.
  5. Hold the YubiKey near the top of the iOS device.
  6. Press the side or top button on the iOS device to close the page, then tap the page to view notifications. Tap the Website NFC Tag notification. The YubiKey NFC page appears.
  7. Tap Copy to Clipboard, and return to the browser where you were signing in.
  8. Tap and hold in the field and tap Paste.
  9. Tap Verify. The Set up multifactor authentication page appears.
  10. Tap Finish.

Use the YubiKey OTP authenticator in NFC mode

You can use YubiKey in NFC mode to sign in on iOS devices that support NFC:

  1. Sign in to Okta on an iOS device.
  2. Tap the arrow menu beside the authenticator icon and select the YubiKey OTP authenticator.
  3. The YubiKey OTP page appears.
  4. Tap in the Click here, then tap your YubiKey field.
  5. Hold the YubiKey near the top of the iOS device.
  6. Press the side or top button on the iOS device to close the page, then tap the page to view notifications. Tap the Website NFC Tag notification. The YubiKey NFC page appears.
  7. Tap Copy to Clipboard, and return to the browser where you were signing in.
  8. Tap and hold in the field and tap Paste.
  9. Tap Verify.

Use the Security Key or Biometric Authenticator option

You can also use your YubiKey as a security key or biometric authenticator. This method uses the FIDO2 (WebAuthn) authenticator to sign in to iOS devices using the security key's NFC mode.

  1. Sign in to Okta on an iOS device.
  2. Tap the arrow menu beside the authenticator icon and select the Security Key or Biometric Authenticator option. The Security Key or Biometric Authenticator page appears.
  3. Tap Verify. The Sign In prompt appears.
  4. Hold the YubiKey near the top of the iOS device.

Related topics

Multifactor authentication

Configure the FIDO2 (WebAuthn) authenticator