YubiKey Token OTP Support

YubiKeys are unique hardware tokens that generate a One-Time Password. When coupled with a standard username and password, the YubiKey is a simple to use solution that provides a strong, two-factor authentication. They emulate a USB keyboard and are driverless so they can be used across different operating systems and platforms without having to install client-side software. They do not have a power source, display or moving parts so they are extremely resistant to damage and have an expected lifetime of 10 or more years.

YubiKey support is enabled in PortalGuard through the following steps:

1)Purchase a YubiKey from Yubico (link)

2)Register for a Yubico API key using the YubiKey (link). You will receive a Client ID number and a Secret Key text string.

3)In the PortalGuard Configuration Editor, click the “Edit Bootstrap” button.

4)In the Bootstrap Configuration dialog, go to the “Services -> H/W Tokens -> YubiKey” tab:

5)Enter the client ID and secret key in the fields provided, then click the ‘Save’ button to commit the changes.

6)Still in PG_Config.exe, edit the security policy for the users who should have YubiKey support.

7)In the “Auth Methods -> Tokens” tab, ensure the Allow YubiKey Tokens checkbox is enabled. Click the Save button to commit any changes.

8)The user can now enroll a YubiKey from their PortalGuard Account Management page. The default URL for this is: http://<your.pg.server>/default.aspx

9) Clicking the Add new YubiKey link displays a prompt for a descriptive name for the YubiKey and a field for an OTP from it.

10) The YubiKey API client ID and secret will be used to securely verify the provided YubiKey OTP against Yubico’s YubiCloud servers. The same client ID and secret can be used by multiple PortalGuard servers.

11) If the OTP is valid, the YubiKey will be stored in the user’s PortalGuard profile and can be used to provide an OTP any time one is requested by PortalGuard.

12) The user can remove/disassociate the YubiKey from their PortalGuard account at any time using the “Remove” link in the PortalGuard Account Management page.

Please note the following details regarding YubiKey registration:

  • A YubiKey cannot be used for 2FA through PortalGuard until it has been associated with the user’s account
  • A user can register multiple, unique YubiKeys
  • The same YubiKey can be associated with different users