YubiKey OATH HOTP device provisioning configuration (Help Desk)
Use this guide to configure an Account Management (Help Desk) page to provision OATH HOTP YubiKey devices. This topic is specific to provisioning a YubiKey device to generate a HMAC-based one-time passcode (HOTP).
Once an OATH HOTP YubiKey device is provisioned, the end user can use a OATH HOTP YubiKey to generate a event-based one-time passcode to authenticate their log in to a resource.
Common use cases for using OATH HOTP YubiKeys as an authentication method would be on environments that use endpoints like Login for Windows, Login for Mac, and Login for Linux.
Prerequisites
SecureAuth® Identity Platform release 21.04 or later
Data store added to the Identity Platform
Configured user authentication policy
Data store configuration
The data store configuration applies only to the Identity Platform on-prem and hybrid deployments.
In the data store configuration, map the data store field attribute to the HOTP Token field.
For example, for an Active Directory data store, it could be photo
or for SQL Server, it could be OATHToken
.
Configure Account Management (Help Desk) page
In the Account Management (Help Desk) page configuration, set the OATH OTP Devices field to Show Enabled. You'll need this setting so that you can view, add, and assign the YubiKey OATH HOTP device for an end user on the Account Management (Help Desk) page.
If you do not have an Account Management (Help Desk) page set up, see Account Management (Help Desk) page configuration.
Note
In the Internal Application Manager, the 3rd Party App Integrations > YubiKey Provisioning application is reserved for Yubico OTP provisioning.
Otherwise, to quickly get to this configuration, do the following:
In the Internal Application Manager, edit the Account Management (Help Desk) page.
Scroll to the bottom of the page and click the Go to Advanced Settings to finish the configuration for this application link.
in the Identity Management section, click the Configure help desk page link.
Scroll to the bottom of the page and set the OATH OTP Devices field to Show Enabled.
The OATH OTP Devices field is used to display the YubiKey OATH HOTP information on the Account Management (Help Desk) page.
Note
The purpose of the YubiKey field is for Yubico OTP.
Save your changes.
Next steps
After you've configured the Help Desk page and enabled the OATH HOTP Devices field, there are some more configurations to bring it all together.
Turn on YubiKey global setting in the Identity Platform
Turn on and configure the YubiKey global MFA settings. Select the OATH HOTP check box and set the passcode length.
Enable YubiKey OATH HOTP for MFA in policy
In the authentication policy on the Mult-Factor Methods tab, select the OATH HOTP check box for YubiKey.
Program YubiKeys to generate HOTP passcodes
As an administrator, you must program YubiKey devices to generate HMAC-based one-time passcodes (HOTP) before you can provision them for your end users in the Identity Platform.
Provision YubiKey OATH HOTP device
As an administrator, you can provision a YubiKey for OATH HOTP authentication for an end user in your organization.