Login for Linux v21.04 configuration guide

Updated April 30, 2021

Use Login for Linux, available in SecureAuth® Identity Platform release 21.04+, to protect remote Secure Socket Shell (SSH) or local logins so end users running on Unix and Linux can authenticate securely.

Although you can add the integration to any Unix system, SecureAuth has certified compatibility with Debian, Ubuntu, and Red Hat Enterprise Linux. This document describes installation and use for certified operating systems.

Disclaimers

  • The Identity Platform does not currently support duplicate usernames in multiple data stores. Login for Linux will not authenticate end users if their usernames are duplicated across multiple data stores.

  • Login for Linux supports the samAccountName login name format if using Microsoft Active Directory (AD); in this use case, userPrincipalName (UPN) is not supported.

Prerequisites

Administrator

  • SecureAuth Identity Platform release 21.04 or later

  • Login for Linux communicates with the Identity Platform on TCP port 443.

  • If you will customize the Login for Linux experience by setting or changing configuration options, see Set up Login for Endpoints.

  • The end user Active Directory profile must be accurately configured on Linux so that the endpoint can retrieve the AD end user profile during the login process.

  • If you use a load balancer:

    When you use Push-to-Accept, Symbol-to-Accept, or Link-to-Accept MFA methods with Login for Linux, you must enable session persistence ("sticky sessions") on the load balancer to maintain state with the Identity Platform. Login for Linux supports cookie-based persistence only.

Setup requirements

  1. Create a Login for Endpoint application in the Identity Platform, where more than one multi-factor authentication is required.

  2. Set configuration options for Login for Linux in the Identity Platform.

  3. To ensure target end user machines are running supported OS versions, see the SecureAuth compatibility guide.

User account and workstation requirements
  • The end user Active Directory profile must be accurately configured on the workstation so that the endpoint can retrieve the AD end user profile during the login process.

  • If an end user is already using a YubiKey device for YubiKey multi-factor authentication on a SecureAuth Identity Platform realm, the OATH seed and associated YubiKey device must be removed from the end user's account to prevent a conflict when the end user attempts to use a YubiKey device for HOTP authentication. (See the steps under "End user multi-factor authentication" in the YubiKey HOTP Device Provisioning and Multi-Factor Authentication Guide to remove the YubiKey device from the user account profile.)

Note

If an end user is disabled on Active Directory, the local account will not know the history of the AD account, and the user will not be able to log on the workstation.

Identity Platform and Login for Endpoints configuration

Use the following sections to set up your endpoint product with the cloud and hybrid model of SecureAuth Identity Platform version 21.04 or later. You will configure the Identity Platform to use Login for Endpoints.

If your team wants to use biometric identification (face (iOS only) or fingerprint recognition), you must complete the following set up. Only the Identity Platform v19.07 or later supports biometric identification; additionally, you must use the 2019 theme (see Setting the default theme for new realms).

Note

The following instructions are appropriate for the three endpoint products: Login for Windows, Login for Mac, and Login for Linux. Differences will be called out according to operating system.

Prerequisites

The following steps must be completed before you can set up MFA methods; some steps are specific to cloud and they are called out accordingly.

  1. Cloud: Download and install the SecureAuth Connector on your endpoint data store server to begin the Identity Platform deployment.

    See Data Stores for a discussion and prerequisites. See Install the SecureAuth Connector for prerequisites and steps.

  2. Add a data store.

    In your endpoint Data Store Properties, enter adminDescription in an unused ID field—Aux ID 3 for endpoints—and set the data format to plain text. Later in these steps, you will map this field to the OTP Validation Property, which is used for end user authentication.

Set up a policy

Policies in the Identity Platform allow you to define rules to authenticate and block your users to certain applications. See How policies are used in the Identity Platform to learn about policies.

If you have an existing policy or default policy that will meet your security needs, you can use that policy; otherwise, you can set up a new policy specifically for endpoints.

  1. Set up a policy for your endpoint.

    On the left side of the Identity Platform page, click Policies. Click Add new Policy and give the policy a name.

    policy_id_plat_2104.png
  2. Optional: Set up rules to prompt or skip MFA when end users authenticate by comparing rules like their country, group access, and more.

    Select the Authentication Rules tab. See Adaptive authentication rules settings in a policy to learn more about setting rules.

    auth_rules_in_policy.png
  3. In the Multi-Factor Methods tab, select the methods that you want to enable for the new endpoint policy you just created. The MFA methods will be available to your end users as their login workflow experience.

    Set Login Workflow to any workflow that contains "MFA Method" in it; Username & Password | MFA Method works well for most organizations.

    Select the MFA methods. See Define the login workflow and multi-factor methods settings for the policy to learn more about these methods. The following image shows the available MFA methods for the Username & Password | MFA Method workflow.

    l4e_mfa_methods.png
  4. Click Save Policy to save your work.

  5. Optional: Set up dynamic IP blocking rules to define how and when to block IP addresses that fail to log in with username entries. This setting applies to all policies where the rule is enabled.

    Select the Blocking Rules tab. See Dynamic IP Blocking settings to learn more about rules.

    Be sure to save any changes you make.

Set up Login for Endpoints

Use the Endpoint Details page to set up communication between the Identity Platform and your endpoint. You will configure the endpoint authentication and access information. You will then use the Aux ID you set previously to enable communication between the Identity Platform authentication API and the endpoint.

  1. On the left side of the Identity Platform page, click Login for Endpoint, and click the Endpoint Details tab.

    l4e_open.png
  2. On the Endpoint Details screen, set up the endpoint. Click Add Endpoint on the upper right of the page.

    endpoint_details_2104.png
    1. Provide a name for the endpoint.

    2. Optional: Provide a description for the endpoint.

    3. Select the name of the policy you created previously.

    4. Select the data store for this endpoint.

    5. Select the user groups that can access this application. Hint: Admins typically select Allow every group in your selected data stores to access this application. Additionally, you can add specific user groups only; for example, to let a test group use it for a short time period before adding more or all groups.

    6. Set the OTP validation property to the Auxiliary (Aux) ID you set in Data store integration overview.

      You must specify an Aux ID to communicate with the Identity Platform to validate one-time passcodes (OTPs) from email, phone calls, SMS, Helpdesk, and Notification Passcode.

    7. Click Save, located on the bottom, right side of the page. Do not close the page.

    8. At the bottom of the page, an API Configuration section appears.

      Copy the Application ID and Application key and save them in a secure location where you can find them when needed.

      You cannot retrieve these API credentials again. If you lose them, you can get new secret keys from this page.

      api_config.png

      You can ignore the Endpoint URL link (in the horizontal red box) for now.

    9. Close the screen.

  3. Click the Installer Configuration tab and click Add Configuration to open the Installer Configuration Details page. You can customize the end user login experience in the installer configuration.

  4. Set up the installer configuration for your operating system in the General Settings tab. Fill in the fields with names that match your OS.

    genl_settings_instal_config.png
    1. Add a name for the installer configuration. The name will be displayed in a list that could be long, depending on how many endpoints you set up, so be sure to make the name easy to identify.

    2. Select the endpoint you created on the Endpoint Details page. This connects the endpoint to communicate with the Identity Platform through the API.

    3. Set Allow self-signed certificate only in test or lab environments where the server has a self-signed certificate. When set, all certificate validations will be turned off. The HTTP client then will accept valid certificates, self-signed certificates, expired certificates, certificates with invalid root. certificates without matching common names, etc. to establish communication.

      Do not set this option for production environments. In production, the option introduces critical security risks, namely the potential "Man in the middle" attack which grants users access to a system without validating their credentials, and lets unauthorized users steal OATH seeds. If the option is set in production, a warning message informs you that the option is enabled. 

      After installing an endpoint with this option set, it remains effective until the endpoint is uninstalled and then re-installed using a configuration file with this option cleared.

    4. Set Install Login for Endpoint without connection to Identity Platform, for example, to allow a third-party company to configure machines for your end users. If the third-party company does not have connectivity to the Identity Platform, this option enables them to complete the configuration.

      When set, be sure to set Grace Period and specify the number of days for password-only login. (Grace Period is located in the Multi-Factor Methods tab.)

      Alternatively, to achieve the same results for self-service password reset (SSPR) without a connection to the Identity Platform:

      • Clear Grace Period.

      • Set Enable adaptive authentications.

      • Clear Logging in with physical access.

      • Clear Logging in via remote desktop protocol.

    5. Set the operating system to match your OS.

    6. Set the type of endpoint you are setting up.

  5. Customize the login experience for your end users in the Multi-Factor Methods tab.

    Click Next Step on the bottom right of the page.

    Existing customers might recognize the following options, which were set in the config.json file in previous releases.

    installer_config_mfa.png
    • Self-service password reset-only mode

      Available on Windows OS only

      Use this option to set up a self-service password reset (SSPR) option for end users to select on their login screen.

      win_sspr.png

      Setting this option deactivates all other options on the page. If you want the Password Reset link plus all the Login for Windows features (MFA, adaptive engine, etc.), complete the following:

      • Clear Self-service password reset-only mode.

        This option is located at the top of the Multi-Factor Methods tab.

      • Set Enable update password link on the login interface, with a URL to the SSPR site added in the URL field.

        This option is located on the Personalization tab, in the Password Reset section.

        Specify either the SecureAuth Identity Platform realm or the web page URL the user can access for resetting a password.

    • Ask for second-factor authentication when run as Administrator

      Available on Windows OS only

      When cleared, users who log on as administrator (with "Run as administrator"), on the same machine used to log into a regular user account, will not be required to authenticate again.

      When set, users who log on as administrator (with "Run as administrator"), on the same machine used to log into a regular user account, will be required to authenticate again.

    • Enable passwordless authentication

      Available on Windows OS only

      When set, end users can use a fingerprint reader to authenticate by using any enrolled fingerprint.

      This setting does not enable the second factor biometric identification available to end users through the SecureAuth Authenticate app. On Login for Windows and Login for Mac, see "Use fingerprint recognition on mobile" for instructions; on Login for Linux, see "Approve login notification for fingerprint recognition."

    • Enable offline authentications

      Set this option if you want end users to be able to authenticate when offline.

      SecureAuth uses OATH seeds to validate OATH-based methods (for example, TOTP, HOTP) when end users log in. Most use cases require SecureAuth to store OATH seeds; if seeds are not stored, end users will not be able to log in while offline. In a scenario where, for example, a server is always online, you might not want to cache the OATH seed, to prevent the seed from leaking or being stolen.

    • Enable adaptive authentications

      This setting acts similar to Adaptive Authentication settings in SecureAuth Identity Platform, where you can restrict admins and users from logging in in several ways, for example, by username, group, IP, etc.

    • Suggests use of an OATH-based method on first login regardless of your Adaptive Policy settings

      Set this option to display a message that suggests end users authenticate for the first login by using an OATH-based method, such as TOTP, HOTP, etc. This ensures that they can log in when offline.

      Login for Endpoints requires end users to use one OATH-based method, if at least one method is available to end users. If at least one OATH-based method is not available to end users, they can use any other available method, but offline login will not be available.

    • Grace period

      Set this option to establish the number of days that end users can log into a machine with password-only.

      After end users set up their second-factor methods, they can dismiss the password-only login screen.

      For a detailed description with a use case, see "First login with password only."

    • Bypass interval

      When cleared, end users must authenticate with a second factor each time they log in.

      Set a custom duration in seconds; end users must authenticate with appropriate 2FA for their first log in, but won't need to authenticate again until the defined time period ends.

      For example, the time period is set for 32400 seconds (9 hours) and an end user logs out after working for 8.5 hours. That evening, the end user decides to log in and finish a few tasks. More than 9 hours have passed so the end user will need to authenticate with a second factor.

    • Logging in with physical access

      Login for Windows and Login for Mac: Set this option to require MFA when logging in by using the login screen with a workflow, such as Username | Password | 2FA; that is, not logging in remotely.

      Login for Linux: Set this option to allow a user to log into the same machine as a different user by using su or sudo.

    • Windows: Logging in via remote desktop protocol | Linux/Mac: Logging in via Remote Connection (SSH)

      Windows: Set this option to require multi-factor authentication when users log in via remote desktop protocol.

      Linux/Mac: Set this option to require multi-factor authentication when users log in through a remote console in a Secure Socket Shell (SSH) session.

    • Bypass Multi-factor Authentication when

      Set this option to allow users who need to log in as local admins to log in without being prompted for additional MFA.

      Users must belong to a local or domain group that you specify in the fill-in field. Add local users only to the local group. Group names are case sensitive and need to match AD exactly.

      Login for Windows and Login for Mac: Both endpoints supports the following syntax:

      • group name : For groups of the domain on which the machine is joined; for example, "BypassGroup"

        Note that group names must match Active Directory exactly.

      • domain\\groupname: For groups that are part of a specific domain; for example, "customerDomain\\BypassGroup"

      • .\\groupname: For local machine groups; for example, ".\\Administrators"

      Login for Linux: This endpoint supports the following syntax:

      • group name : For groups of the domain on which the machine is joined; for example, BypassGroup

        Note that group names must match Active Directory exactly.

      • group-name@group-domain: For remote groups, use this UPN format syntax; for example, BypassGroup@customerDomain.local

      • .\\groupname: For local machine groups; for example, .\\Administrators

  6. Personalize more of the user experience in the Personalization tab.

    Click Next Step on the bottom right of the page.

    personalization_tab.png
    • Customize error message

      Set this option to personalize the error message for end users who are locked out of their accounts. In the fill-in field, add your custom message, such as:

      For assistance, please contact Acme helpdesk at 949-555-1212, help@acmeco.com, or https://helpdesk.acmeco.com.

    • Request Timeout

      Set the timeout in seconds, 30 seconds by default, that the Login for Endpoint will wait for HTTP requests to respond. This option is useful to reduce network wait times because the endpoint ends a network connection after it reaches the specified timeout value when communicating through HTTP requests.

      For example, if the endpoint is trying to contact the Identity Platform, but cannot for any reason, the endpoint will end the network connection after the timeout value is reached; if not set, the endpoint will keep trying to reach the Identity Platform.

    • Auto add pre-logon access providers

      Available on Windows OS only

      Set this option to allow a pre-logon access provider so that end users can connect to VPN clients before logging into Login for Windows.

    • Hide retry options

      Available on Windows OS only

      Set this option to hide the button to retry the connection on the login screen when Login for Windows is offline.

    • Enable update password link on the login interface

      Available on Windows OS only

      Use this option to set up a self-service password reset (SSPR) option for end users to select on their login screen. Be sure the following options are set up correctly:

      • Set Enable update password link on the login interface, with a URL to the SSPR site added in the URL field.

        Specify either the SecureAuth Identity Platform realm or the web page URL the user can access for resetting a password.

      • Clear Self-service password reset-only mode.

        This option is located at the top of the Multi-Factor Methods tab.

    • Allow default operating system provider

      Available on Windows OS only

      Set this option to add the default credential provider on the login screen. This allows end users to log in by using a password and second factor with the SecureAuth credential provider or by using a only a password with the default credential provider.

      This option helps new teams starting out with Login for Windows to have a default credential provider option for end users to authenticate as a fallback.

    • Allow other credential providers

      Available on Windows OS only

      Set this option to specify if non-SecureAuth credential providers and other credential providers, such as card scanners, can be used. Be aware of the following items, especially the first bullet:

      • This option is only recommended in test environments, to let testers bypass Login for Windows so they can readily access their machines.

      • Users will be able to log in without using the Login for Windows credential provider, and potentially bypass multi-factor authentication.

      • Users will see their normal login prompt and will have to manually select a different login option to use Login for Windows

  7. Save your changes.

    Saving creates a configuration file, which contains all the customizations that you set.

    config_file_list.png
  8. Download the configuration file, which you will need during installation. The configuration file must reside in the same folder as the installer file that you will download in Installation.

    Click the download icon (in the image above, the left icon in the red box). The downloaded file is called config.json.

    If you open the config.json file, it will look like the following image, depending on the OS you are using and the customizations you set:

    {
        "platform": "linux",
        "version": "v2",
        "conf_version": 6,
        "allow_self_signed": false,
        "adaptive_enabled": true,
        "group_bypass": [],
        "store_seeds": true,
        "custom_error_message": "",
        "install_without_idp": false,
        "suggest_first_login": false,
        "request_timeout": 30,
        "apis": [
            {
                "host": "https://endpoints.secureauth.com/SecureAuth7",
                "id": "6bc7baa94e8e4b168edc8f6da8932175",
                "secret": "c817e6d6e5f7475d8ff801922dbfac409c8d84a39aa9f6973bd5f4a3913bd2e7"
            }
        ],
        "access_level": 0
    }

    Note

    Change any of your customizations in the Installer Configuration Details pages, then complete step 8 again. Any change you make requires an updated config.json file downloaded to your installation folder.

    Do not edit the config.json file directly unless instructed by SecureAuth Support.

  9. Your Login for Endpoint is set up with the Identity Platform. You are now ready to install the endpoint.

Installation

Login for Linux is shipped as a self-extracting installation package. The installation process will copy required files to the appropriate directories and create the database with the default configuration.

  1. Download the .run file from the SecureAuth Product Downloads page.

  2. Ensure that you can execute the .run file.

    $ chmod +x SecureAuthLoginForLinux-21.04.00.run
  3. Add the config.json file to the same folder you copied the installer to.

  4. Open a terminal window then change directory to the path where you copied the installer and the config.json files.

  5. Login as root then execute the installer.

    $ sudo ./SecureAuthLoginForLinux-21.04.00.run

You can now configure the operating system for your organization: Debian, Ubuntu, or Red Hat Enterprise Linux.

If your installation failed, see the log files to discover the reason.

Login for Linux log files

The error log displays logging messages in:

/opt/com.secureauth.saap/pam_login.log

The installation log messages are in:

/var/temp/install.log

Configurations for all OS's

This section describes configurations common to Debian, Ubuntu, and Red Hat Enterprise Linux.

  1. Backup each of the following files now because you will modify them in upcoming steps:

    • /etc/pam.d/ssh

    • /etc/pam.d/su

    • /etc/pam.d/sudo

    • /etc/ssh/sshd_config

  2. Integrate Login for Linux to SSH logins by editing the /etc/ssh/sshd_config SSH daemon configuration file:

    1. Enable the Pluggable Authentication Module (PAM).

      UsePAM yes
    2. Enable ChallengeResponseAuthentication so that it controls end user password authentication.

      ChallengeResponseAuthentication yes
    3. Disable PasswordAuthentication because end user password authentication is controlled by the ChallengeResponseAuthentication setting.

      PasswordAuthentication no

Uninstallation

The following instructions explain how to uninstall Login for Linux. You must first revert the changes you made in the configuration files and then you can run the uninstall command.

The log files are not uninstalled; use them to assist with troubleshooting any issues with the uninstallation. After you have worked through any issues, you can delete the log files.

  1. Revert the changes by using the backups that you saved in Configuration prerequisites for all OS's, step 1.

    If the uninstaller detects that the configuration files still reference the Login for Linux PAM module, the uninstall process fails.

  2. Run the uninstaller.

    $ sudo ./SecureAuthLoginForLinux-21.04.00.run -- uninstall

End user login experience

First login with password only

End users can log in without second-factor authentication for the number of days set by the administrator in the Installer Configuration Details page, in the Grace Period option. This allows end users to log in with a password only (without using second-factor authentication), and typically occurs after the Login for Linux installation. End users can then access their device to set up their two-factor authentication methods, such as PIN creation and answers to Security Questions, before they must authenticate to access their device.

Use case: Password-only login is useful for one or more new employees who have been issued a laptop on their first day of employment. For example, if Login for Linux is already installed on the laptops and the admin has not set a grace period value, new employees might not be able to log into their computer if they cannot connect to the SecureAuth Identity Platform to register their mobile phone or self-service page to enter a phone number.

Workflow: End users are prompted to log in with their username and password only. The login screen indicates the number of days end users can continue to log in with a password only on the machine, as shown in the following image.

End users will see the following message when they log in with password only. End users who want to log in with a password only enter their password next to number 1 and enter No for number 2 and log in. After end users set up their second-factor methods, they are ready to authenticate so they enter Yes for number 2, which dismisses the password-only screen and opens the 2FA login screen. Thereafter, the 2FA login screen opens for end users.

69107835.png

Login without connection to Identity Platform

End users can log in when their machine does not have a connection to the Identity Platform. You must set Install Login for Endpoint without connection to Identity Platform and Grace Period to at least 1. This allows end users to log in with a password only (without using second-factor authentication) for the specified number of days.

Use case: Password-only login is useful if a third-party company configures machines for end users and the third-party company does not have connectivity to the Identity Platform. For example, if Login for Linux is installed on machines by a third-party without a connection to the Identity Platform, and the admin has not set Install Login for Endpoint without connection to Identity Platform and Grace Period to at least 1, when new employees get their machine, they will not be able to log in.

Workflow: End users are prompted to log in with their username and password only. The login screen indicates the number of days end users can continue to log in with a password only on the machine, as shown in the following image.

End users whose machines are not connected to the Identity Platform should contact the admin first so they can copy the message next to number 1 and send it to their admin. End users can then enter their password next to number 2 and log in. After the machine connects to the Identity Platform, the 2FA login screen opens for end users so they can set up their second-factor methods and log in.

69107837.png

First-time login experience

  1. Enter your domain username and password on the login screen, and then choose a 2FA method.

    The first time end users log in, Login for Linux shows only OATH-based methods (for example, TOTP, HOTP), if at least one method is available to end users. If at least one OATH-based method is not available to end users, they can use any other available method. This could be a method that uses the SecureAuth Authenticate App on their mobile device or another device provisioned with the SecureAuth Identity Platform to supply timed passcodes, such as an HOTP YubiKey.

    If end users need to login when their machine is offline, they must choose an OATH-based method during the first login. After end users select a timed authentication option and enter their password, TOTP and HOTP passcode options will be available for them to use when logging on the machine offline.

    first_login_linux.png

    End users with more than one mobile phone or YubiKey provisioned can select which device or token to use when online. When logging on the machine offline, any OATH-based method that was used online will be available for use.

    If you do not have an authentication method that provides an OATH-based method, then select any other option available to you.

  2. Enter the passcode that appears on the device, and then click Submit.

    After successfully logging on using a timed passcode, timed passcodes from that device can be used for login access when offline, i.e., when the machine is not connected to the Internet.

  3. Log out.

  4. Log back on the machine, and select an authentication option from the list of multi-factor authentication methods for which you have previously enrolled.

  5. Enter the method number to access the machine on the network.

    3_2fa_selection.PNG

    Authentication method workflows are described in the following sections.

SecureAuth Authenticate Mobile App options

The methods in this section are delivered via push notification and require the use of the SecureAuth Authenticate App.

Enter timed passcode from app

This method and "Enter passcode from YubiKey" are displayed at first login, if available. If not available, all available methods are displayed.

  1. Enter the number to the left of the timed passcode option in the list.

  2. Enter the TOTP that was sent to the SecureAuth Authenticate app on your mobile device.

    4_totp.PNG
Receive passcode from notification
  1. Enter the number to the left of the timed passcode option in the list.

  2. Enter the passcode that was sent to the SecureAuth Authenticate App on your mobile device.

    5_passcode_notification.PNG
Approve login notification for fingerprint recognition
  1. Enter the number to the left of the fingerprint recognition option in the list.

  2. You'll receive a touch ID request in the SecureAuth Authenticate App on your mobile device to log on. Tap Use Touch ID and then enter your fingerprint.

    6_fingerprint.PNG
Approve login notification for face recognition
  1. Enter the number to the left of the face recognition option in the list.

  2. You'll receive a face ID request in the SecureAuth Authenticate App on your mobile device to log on. Tap Use Face ID and then scan your face.

    7_face.PNG
Approve login notification for Symbol-to-Accept
  1. Enter the number to the left of the Accept login notification on app option in the list.

    8_symbol.PNG
  2. Receive the set of 4 symbols sent to the Authenticate mobile app on your mobile device.

  3. On the Authenticate mobile app, tap the symbol that matches the one displayed on your desktop or laptop, shown in the image in step 2. You are then logged on.

SMS / Text Message

Receive passcode
  1. Enter the number to the left of the passcode from SMS text option in the list.

  2. Enter the passcode sent via SMS text to your mobile phone.

  3. Click Submit to log on.

    9_sms.PNG
Receive link
  1. Enter the number to the left of the link from SMS/text option in the list.

  2. Click the link sent via SMS text to your mobile phone.

    19_sms2accept.PNG

Email

Receive passcode
  1. Enter the number to the left of the passcode from email option in the list.

  2. Enter the passcode sent to your email address.

    10_email.PNG
Receive link
  1. Enter the number to the left of the login request link from email option in the list.

  2. Click the link sent to your email address.

    17_email2accept.PNG

Voice Call

Receive passcode
  1. Enter the number to the left of the passcode from voice call option in the list.

  2. Enter the passcode received from the phone call.

    11_voice.PNG

Additional methods

Contact the help desk
  1. Enter the number to the left of the help desk option in the list.

  2. If more than one phone number displays for the help desk, select the phone number to use for contacting the help desk. (The phone number in the image below is an example only.)

  3. Input the passcode supplied by the help desk.

    12_helpdesk.PNG
Enter passcode from token

This method and "Enter timed passcode from app" are displayed at first login, if available. If not available, all available methods are displayed.

  1. Enter the number to the left of the HOTP device option in the list.

  2. With the YubiKey HOTP device inserted in the machine, tap or press the device to populate the passcode in the field.

    13_hotp.PNG
Enter passcode from YubiKey (Yubico OTP protocol)
  1. Enter the number to the left of the YubiKey device option in the list.

  2. With the YubiKey OTP device (Yubico OTP protocol) inserted in the machine, tap or press the device to populate the passcode in the field.

    14_yubico.PNG
Enter passcode from YubiKey

In this example, the passcode is sent from a generic TOTP device, which might be a YubiKey, an OTP generator app (for example, FreeOTP), or any other way to generate the TOTP. You can use whatever OTP generator you prefer; the example uses a YubiKey.

  1. Enter the number to the left of the YubiKey device option in the list.

  2. With the YubiKey OATH-TOTP device inserted in the machine, tap or press the device to populate the passcode in the field.

    14_yubico.PNG
Enter PIN
  1. Enter the number to the left of the PIN option in the list.

  2. Enter your predefined personal identification number.

    18_PIN.PNG
Enter answers to Security Questions
  1. Enter the number to the left of the security questions option in the list.

  2. Answer both questions with your predefined answers. You must answer both questions.

    16_kbq.PNG