Skip to main content

YubiKey OATH HOTP device provisioning configuration (Help Desk)

Use this guide to configure an Account Management (Help Desk) page to provision OATH HOTP YubiKey devices. This topic is specific to provisioning a YubiKey device to generate a HMAC-based one-time passcode (HOTP).

Once an OATH HOTP YubiKey device is provisioned, the end user can use a OATH HOTP YubiKey to generate a event-based one-time passcode to authenticate their log in to a resource.

Common use cases for using OATH HOTP YubiKeys as an authentication method would be on environments that use endpoints like Login for Windows, Login for Mac, and Login for Linux.

Prerequisites

  • SecureAuth® Identity Platform release 21.04 or later

  • Data store added to the Identity PlatformData store integrations

  • Configured user authentication policyManage policies

Data store configuration

The data store configuration applies only to the Identity Platform on-prem and hybrid deployments.

In the data store configuration, map the data store field attribute to the HOTP Token field.

For example, for an Active Directory data store, it could be photo or for SQL Server, it could be OATHToken.

yubikey-hotp_provisioning_006.png

Configure Account Management (Help Desk) page

In the Account Management (Help Desk) page configuration, set the OATH OTP Devices field to Show Enabled. You'll need this setting so that you can view, add, and assign the YubiKey OATH HOTP device for an end user on the Account Management (Help Desk) page.

If you do not have an Account Management (Help Desk) page set up, see Account Management (Help Desk) page configuration.Account Management (Help Desk) page configuration

Note

In the Internal Application Manager, the 3rd Party App Integrations > YubiKey Provisioning application is reserved for Yubico OTP provisioning.

Otherwise, to quickly get to this configuration, do the following:

  1. In the Internal Application Manager, edit the Account Management (Help Desk) page.

  2. Scroll to the bottom of the page and click the Go to Advanced Settings to finish the configuration for this application link.

  3. in the Identity Management section, click the Configure help desk page link.

  4. Scroll to the bottom of the page and set the OATH OTP Devices field to Show Enabled.

    The OATH OTP Devices field is used to display the YubiKey OATH HOTP information on the Account Management (Help Desk) page.

    Note

    The purpose of the YubiKey field is for Yubico OTP.

    yubikey-hotp_provisioning_007b.png
  5. Save your changes.

Next steps

After you've configured the Help Desk page and enabled the OATH HOTP Devices field, there are some more configurations to bring it all together.

Turn on YubiKey global setting in the Identity Platform

Turn on and configure the YubiKey global MFA settings. Select the OATH HOTP check box and set the passcode length.

yubikey_hotp_settings.png

Enable YubiKey OATH HOTP for MFA in policy

In the authentication policy on the Mult-Factor Methods tab, select the OATH HOTP check box for YubiKey.

yubikey-hotp_provisioning_008.png

Program YubiKeys to generate HOTP passcodes

As an administrator, you must program YubiKey devices to generate HMAC-based one-time passcodes (HOTP) before you can provision them for your end users in the Identity Platform.

See Program YubiKeys to generate OATH HOTP passcodes

Provision YubiKey OATH HOTP device

As an administrator, you can provision a YubiKey for OATH HOTP authentication for an end user in your organization.

See Provision YubiKey OATH HOTP device (Help Desk)