Documentation

YubiKeys

Import your YubiKey hardware tokens to use them for authentication.

Overview

To use a YubiKey hardware token you will need to enter its stored secret in your Duo Admin Panel. If you do not know the stored secret you can use the YubiKey Personalization Tool or the YubiKey Multi-Configuration Tool to reconfigure the YubiKey.

Generate YubiKey Configuration

If you are already using this YubiKey with an existing service, the following steps will overwrite the stored secret for that service. You should also realize that every time you open the Yubico OTP tab, it generates a new Public Identity, Private Identity, and Secret Key, but that these are not written to the token unless you actually click Write Configuration. There is no way to read your existing Public Identity, Private Identity, and Secret Key off the token once it has been written.

Each YubiKey has two slots. The first slot is used to generate the passcode when the YubiKey button is touched for between 0.3 and 1.5 seconds and released. The second slot is used if the button is touched between 2 and 5 seconds. When the YubiKey is shipped its first configuration slot is factory programmed for the YubiCloud OTP service and the second configuration slot is blank.

To create or overwrite a slot’s configuration:

  1. Start the YubiKey Personalization Tool.
  2. Insert the YubiKey into a USB port.
  3. Wait for the Personalization Tool to recognize the YubiKey.
  4. Click Yubico OTP Mode.

    Recognized

  5. Click Quick.

  6. Select Configuration Slot 1 (or Configuration Slot 2 if Slot 1 is already being used by another service).
  7. Click Regenerate.
  8. Uncheck Hide Values
  9. You will need the Serial Number (in decimal format), Private Identity, and Secret Key to add the YubiKey to your Duo account. You may also want to save this information, along with the Public Identity, somewhere safe since you will need them if you use this YubiKey with other services in the future.

    Secrets

  10. Click Write Configuration

There is no need to click Upload to Yubico. We are able to confirm the passcodes generated independently of their service. However you may do this if you wish to also use the YubiCloud OTP service.

Add Token in Duo Admin Panel

  1. Log into the Duo Security Admin Panel.
  2. Go to Devices → Hardware Tokens.
  3. Click the Import Hardware Tokens button.
  4. Set the dropdown to YubiKey AES
  5. Enter the Serial Number, Private Identity, and Secret Key of the token, separated by commas, in the following format:

    01231337, 0c 87 99 55 78 ee, a4 d0 93 a9 bd 09 e1 24 e9 17 b6 72 03 56 a1 3b
    
  6. To assign the token to a user, go to Users and select the user who will use the token.

  7. Click Add Hardware Token.
  8. Enter the serial number of the token. Set the type to YubiKey AES.
  9. Click Add Hardware Token.