Version Number | Date | Change Description |
---|---|---|
1.0 | 06/01/2024 | Initial draft. |
Executive Summary
This guide details the implementation and usage of YubiKey, a durable and portableexternal security device, by federal employees and contractors to enhance the security offederal systems through FIDO2 compliant multi-factor authentication MFA. It highlights thebenefits of YubiKey, emphasizing its resistance to phishing attacks and broad compatibility withvarious platforms, making it an ideal choice for securing sensitive government data.The guide provides comprehensive instructions for initial setup on both MacOS and Windows,including downloading the YubiKey Manager, creating a secure PIN, and configuring the devicewith federal systems such as Okta. Additionally, it addresses questions concerning thenecessity of a PIN for YubiKey, the limitations of using platform authenticators in a federalcontext, and troubleshooting tips for issues like forgotten PINs or device resetting. Thisdocument is a crucial resource for federal employees and contractors tasked with maintaininghigh security standards using YubiKey on federal systems.
Why YubiKey?
The YubiKey is a small, external authenticator, also known as a security key, designed to makeyour online accounts more resistant to phishing and compromise. It is used to perform multifactorauthentication MFA when users access secure systems. The YubiKey represents anadvancement in MFA technology by offering a more secure and user-friendly alternative totraditional methods like text-based codes or mobile authenticator apps. A key feature of theYubiKey is the touch sensor which is used to show that there is someone at that device. Thediagram below shows the different YubiKey Series 5 dongles and highlights the sensors.
Using YubiKey is generally considered more secure than conventional MFA methods like OnetimePasswords OTP or Time-based One-time Passwords TOTP used by mobile apps suchas Google Authenticator or Okta Verify. With OTP and TOTP, users must verify the authenticityof a website and secure their connection, introducing elevated phishing risks. The YubiKeySeries 5 employs FIDO2 technology, which uses cryptographic credentials to validateconnections to legitimate websites, thus eliminating the need for users to verify connectionauthenticity. This minimizes phishing risks, including cross-site scripting, typo-squatting, andman-in-the-middle attacks. Additionally, YubiKey requires physical interaction and may usePINs, ensuring data transmission only occurs with user consent, further enhancing security.
Other features of YubiKeys include
-
Rugged and Portable The YubiKey is made with solid materials like glass-fiber reinforcedplastic, can handle water and dust, and it does not need batteries.
-
Easy to Connect YubiKeys are available in USB-A and USB-C formats, as well as having aNear Field Communication NFC option for mobile devices, making it compatible with mostcomputers and smartphones.
-
Broad Compatibility The YubiKey is compatible with many operating systems like Windows,macOS, Chrome OS, Linux, and popular web browsers like Chrome, Safari, and Edge. It canhelp secure access to most online services and platforms.
-
FIPS Certified The YubiKey series also offers FIPS compliant versions which are required bygovernment agencies and regulated industries like healthcare.
Prerequisites
To use YubiKey for FIDO2 authentication on Okta, several prerequisites must be met to ensure a successful deployment and operation
-
Compatible YubiKey Device Ensure that the YubiKey model you intend to use supports FIDO2. YubiKey 5 Series or newer models are typically compatible.
-
Supported Web Browsers The web browser used to access Okta must support WebAuthn. Popular browsers such as Google Chrome, Mozilla Firefox, Microsoft Edge, and Safari typically have this support.
-
Okta Configuration Okta must be configured to allow FIDO2 as an authentication method. This involves setting up and enabling FIDO2 in the Okta admin dashboard under the authentication and security settings. See Device Enrollment Configuration with Okta set-up
-
Operating System Compatibility The operating system on the user’s device must be compatible with the YubiKey model being used. This includes support for the necessary USB or NFC interfaces provided by the YubiKey. User Training and Onboarding - Users will need to learn how to use their YubiKey, including initial setup, PIN creation, and using it to login.
Device enrollment configuration with Okta set-up
Prerequisites
Disable use of Syncable Passkeys
-
WebAuthn supports enrollment of passkeys, a password-less type of authentication.
-
Passkeys can be saved to a cloud service such as Apple iCloud and transferred to other devices.
-
For this reason, it is preferred to disable this functionality for federal accounts.
-
Navigate to Settings > Features on the left menu.
-
Ensure the feature “Block passkeys for FIDO2 (WebAuthn) Authenticators” is toggled to the enable position.
Create a Group for the WebAuthn policy
-
Okta policies are configured on a user group basis. The first step is to create a group. Users
-
added to this group will have the ability to use Yubikeys.
-
Enter a name and description and save the group.
Procedure
Enable the Authenticator
-
On the left menu navigate to Security > Authenticators.
-
Click “Add Authenticator”
-
Under the “FIDO2 (WebAuthn)” tile, click the “Add” button.
-
Set “User verification” to “Discouraged”.
-
Click the “Add” button.
Optional Device Restrictions
-
After adding the FIDO2 authenticator you will see the “Authenticator settings” tab.
-
This allows configuring the accepted devices when enrolling FIDO2 security tokens such asrequiring the use of FIPS compliant security tokens.
Restricting use to only FIPS compliant security tokens
-
Click the “Add authenticator group” button.
-
Enter a name for this group, for example “Yubikey FIPS Only”
-
Search for the desired devices and select all that apply.
-
When all of the desired devices are selected click “Add authenticator group”
-
When finished you will see your group created
Create Enrollment Policy
-
The final step is to create an enrollment policy which will apply the desired group.
-
From the left menu navigate to Security > Authenticators, select the “Enrollment” tab, click “Add Policy”
-
Enter a name for the policy.
-
Select a previously created group for the “Assigned to groups” field.
-
Optionally set “Allowed authenticators” to the “Authenticators from selected group list”.
-
Click “Create policy”.
-
On the next screen enter a name for the Enrollment Rule, click “Create rule”.
-
At this time, you will see your complete policy and rule.
-
Adjust the enrollment policy priority as desired to meet your requirements.
-
This concludes the configuration steps.
First-time setup for new device PIN creation MacOS
Step 1 - Install YubiKey Manager
-
Download the Yubikey Manager - Access the download link provided and save the file to your Mac.
-
Run the Installer
-
Locate the downloaded file, usually in your Downloads folder, and double-click to open it.
-
Proceed through the installation wizard by selecting Continue > Continue and then install.
-
Authorize the Installation
-
Depending on your Mac’s security settings, you might need to authorize the installation using TouchID, FaceID, or your Mac login password.
-
Confirm by clicking OK if prompted for access to the downloads folder.
-
Complete the installation
-
Once the installation is complete, you will have the option to move the installer to the trash. Click Close to finalize the install.
-
Open the YubiKey Manager
-
You can open the YubiKey Manager either by using Spotlight search Command + Spacebar and type “YubiKey” or by going directly to your Applications folder
-
Prepare the YubiKey
-
Plug your YubiKey into the appropriate USB port on your Mac.
Step 2 - Setup YubiKey PIN
-
Navigate to PIN Setup
-
In the YubiKey Manager, go to Applications > FIDO2
-
Set Your PIN
-
Click on Set PIN.
-
In the New PIN field, enter a unique combination of at least six characters (FIDO2 requirement).
-
Your PIN can include both letters and numbers.
-
Choose a secure and memorable PIN.
Caution
Avoid simple sequences or commonly used numbers such as password or 123456.
-
Re-enter the same PIN in the Confirm PIN field to ensure accuracy.
-
Confirm PIN Setup
-
Click Set PIN to finalize your PIN setup. This PIN will be required for enrolling your security key and for subsequent access to Okta.
Enrolling a Security Key on CMS Okta IDM-MacOS
-
Login to Okta portal
-
Navigate to Okta and sign in using your EUA Username and Password.
-
Click the checkbox to Agree to the Terms & Conditions.
-
Click Sign In
-
The page refreshes to display an MFA authentication prompt.
-
Complete the MFA challenge with your current setup (e.g., Okta Verify mobile app)
-
Navigate to Security Settings
-
Click your name to expand the drop-down link.
-
Click Settings.
-
Start Security Key Enrollment
-
Within the Extra Verification menu, click the Setup button next to the Security Key or Biometric Authenticator menu option.
-
Avoid selecting the YubiKey option. This menu option is used for legacy FIDO devices.
-
Enroll Your Security Key
-
Navigate to the Multifactor Authentication section and then click Setup.
-
Click Enroll.
-
Click the Use a different passkey button.
-
Select the Use a phone, tablet, or security key menu option.
-
Activate your YubiKey by touching the gold sensor on the device.
-
If it doesn’t respond, unplug and re-insert the YubiKey
-
Enter your PIN and click Next
-
Press the gold sensor on the YubiKey again.
-
Click Allow to complete the enrollment process.
-
Completion
-
Open your MFA application and navigate to the Extra Verification menu.
-
Confirm that you see an indication that your security key has been successfully added to your MFA application.
Login to CMS Okta with Security Key-MacOS
-
Login to Okta portal
See AlsoIs YubiKey a Smartcard? -
Navigate to Okta and enter your EUA Username and Password into theappropriate fields.
-
Click the checkbox to Agree to the Terms & Conditions and then click Sign In.
-
Note - Session cookies from a previous authentication may remain valid and Okta may not prompt you to re-authenticate after login. In this circ*mstance, click your Name in the top right-hand corner to expand the drop-down list and click Log Out to return to the Sign In screen.
-
MFA Challenge with Security Key
-
Open your authenticator application and when prompted, touch the gold sensor on the YubiKey.
-
The page refreshes to display additional fields.
-
Enter the PIN you established earlier and click Next
-
Touch the gold sensor on the YubiKey once more
-
Successful Authentication into Okta
-
You have successfully completed the security key login process and can access resources protected by CMS ID
First-time setup for new device PIN creation Windows
Step 1 - Install YubiKey Manager
Download the Yubikey Manager
- Access the download link provided and save the file to your computer.
Run the Installer
-
Locate the downloaded file, usually in your Downloads folder, and double-click to open it.
-
Proceed through the installation wizard by selecting Continue > Continue.
-
Complete the Installation
-
Click Install.
-
Depending on your Windows OS security settings, you might need to authorize the installation.
-
Complete the authorization challenge.
-
Proceed through the installation wizard by selecting Next > Next and then Install.
-
After the installation completes, select Finish.
- Open the YubiKey Manager
Notice
Run the Yubikey Manager as an Administrator for initial setup
-
The YubiKey Manager opens automatically after installation. If it doesn’t, you can openit by searching for it in the Start menu.
-
Prepare the YubiKey
- Plug your YubiKey into the appropriate USB port on your Windows system
Step 2 - Setup YubiKey PIN
-
Navigate to PIN Setup
-
In the YubiKey Manager, go to Applications > FIDO2
-
Set Your PIN
-
Click on Set PIN.
-
In the New PIN field, enter a unique combination of at least six characters (FIDO2requirement).
-
Your PIN can include both letters and numbers.
-
Choose a secure and memorable PIN. Avoid simple sequences or commonly used numbers such as password or 123456.
-
Re-enter the same PIN in the Confirm PIN field to ensure accuracy.Confirm PIN Setup
-
Click Set PIN to finalize your PIN setup. This PIN will be required for enrolling your security key and for subsequent access to Okta.
Enroll Security Key on Okta-Windows
-
Login to Okta portal
-
Use the provided link to sign in with your EUA Username and Password.
-
Agree to the Terms & Conditions and select Sign In
-
Complete the MFA challenge with your current setup (e.g., Okta Verify mobile app)
-
Navigate to Security Settings
-
Click on your name at the top right corner and select Settings
-
Click Settings.
-
Start Security Key Enrollment
-
Within the Extra Verification menu, click the Setup button next to the Security Key or Biometric Authenticator (FIDO2) menu option.
-
Avoid selecting the YubiKey option as it is for legacy FIDO devices
-
Enroll Your Security Key
-
Open Okta and navigate to the Multifactor Authentication section and then clickSetup.
-
Click Enroll.
-
Select the Security Key and then click Next.
-
Click OK to continue
-
Click OK to continue
-
Enter the PIN you established earlier
-
Click OK
-
Activate your YubiKey by touching the gold sensor on the device.
-
If it doesn’t respond, unplug and re-insert the YubiKey
-
The Passkey is saved. Click OK.
-
Completion
-
Open your MFA application and navigate to the Extra Verification menu. Confirm thatyou see an indication that your security key has been successfully added to your MFAapplication.
Login to Okta with Security Key-Windows
-
Login to Okta portal
-
Use the provided link to sign in with your EUA Username and Password.
-
Agree to the Terms & Conditions and select Sign In
-
Your session cookie might still be valid and Okta will not require you to reauthenticateto log back in, select your name in the top right hand corner and click LogOut
-
MFA Challenge with Security Key
-
Select Security Key and click Next
-
Enter the PIN you established earlier and click OK
-
Touch the gold sensor on the YubiKey
-
Authenticated with Okta
-
You have successfully completed the security key login process
Glossary of Terms
FIDO2 Authentication - A modern authentication standard that strengthens security by allowingusers to utilize local biometrics and security keys for passwordless logins or as a part of multifactorauthentication. FIDO2 is an enhancement of the original FIDO standards, adding supportfor passwordless authentication and expanded browser support through its WebAuthncomponent.
WebAuthn Web Authentication - A web standard published by the World Wide WebConsortium W3C in collaboration with the FIDO Alliance, which specifies a built-in browser APIenabling online services to offer a secure, passwordless login experience using public keycryptography. WebAuthn allows users to authenticate themselves on the internet usingbiometrics, mobile devices, or FIDO2 devices like security keys, instead of relying on traditionalpasswords.
FIPS Federal Information Processing Standards - U.S. government standards that coordinatethe requirements for cryptographic modules, including both hardware and software components,used within a security system to protect sensitive but unclassified information.
Passkey - A digital credential used in place of traditional passwords, often part of modernauthentication systems like FIDO2, to provide a more secure and easy login experience.Passkeys enhance security by using cryptographic techniques, meaning they are resistant tophishing and cannot be reused across different sites, significantly reducing the risk of credentialtheft.
PIN Personal Identification Number - A numeric or alphanumeric password used in theauthentication process to verify the identity of a user accessing a system or device.
Multi-Factor Authentication MFA - A security system that requires more than one method ofauthentication from independent categories of credentials to verify the user’s identity for a loginor other transaction.
Security Key - A physical device used to access computers, networks, and online accounts byproving possession of the key as a form of authentication.
USB-C - A type of USB connector that is reversible, allowing it to be plugged in either direction,and supports faster data transfer, increased power flow, and video delivery.
USB-A - The original standard USB connector, which is flat and rectangular in shape, commonlyused to connect devices like keyboards, mice, and external hard drives to computers.
NFC Near Field Communication - A set of communication protocols that enable two electronicdevices, one of which is usually a portable device such as a smartphone, to establishcommunication by bringing them within 4 cm of each other.
YubiKey - A small hardware device produced by Yubico, that provides secure two-factor, multifactor,and passwordless authentication that supports protocols such as FIDO2 and U2F.
Okta - A cloud-based service that provides identity management and access managementsolutions, enabling secure authentication and user verification across various platforms andapplications.
Yubikey FAQs
Why do I need a PIN for my YubiKey?
- Think of your YubiKey like a debit card for digital security. Just as your bank carduses a PIN to keep your money safe, your YubiKey uses a PIN for an extra layer ofprotection. This means that if someone ever gets their hands on your security key, theystill can’t use it unless they know your unique PIN. Additionally, the policies whichgovern IDM at Okta requires a PIN when you first set up your security key, ensuring thatit’s really you who’s activating it.
What are Platform Authenticators and how come I can’t use my smartphone to enroll a security key?
-
Platform authenticators, aka Internal Authenticators - These are devices that youtypically own, such as smartphones and laptops. Depending on the hardware andsoftware version they meet the FIDO2 standards, which allow you to prove your identityusing methods like a PIN, your fingerprint, or facial recognition, utilizing the built-insecurity features of your device just like a YubiKey.
The core of FIDO2 lies in what we call resident keys also known as “private keys” —think of them as digital versions of a physical key for a locked door. In a typical setup,these private keys are securely stored on your device itself. However, in certainsituations, depending on your device’s setup and type, there’s a possibility that thesekeys could be stored in the cloud. This scenario might present security and audit risks,primarily because of uncertainties about where exactly these private keys are stored.The core of FIDO2 lies in what we call resident keys also known as “private keys” —think of them as digital versions of a physical key for a locked door. In a typical setup,these private keys are securely stored on your device itself. However, in certainsituations, depending on your device’s setup and type, there’s a possibility that thesekeys could be stored in the cloud. This scenario might present security and audit risks,primarily because of uncertainties about where exactly these private keys are stored.
Since different users have various types of devices and settings, and because of thepotential cloud storage of private keys, platform authenticators might pose securitychallenges in terms of administration and management of organizational securitystandards. This variability is why, in most organizational contexts, platformauthenticators may not be recommended or allowed.Since different users have various types of devices and settings, and because of thepotential cloud storage of private keys, platform authenticators might pose securitychallenges in terms of administration and management of organizational securitystandards. This variability is why, in most organizational contexts, platformauthenticators may not be recommended or allowed.
-
External authenticators, aka USB Authenticators - Are independent devices such asyour YubiKey that have one single purpose. These store the resident keys directly onthe device itself, meaning the private keys reside solely within the physical bounds ofthe external authenticator. This approach generally offers a higher level of securitybecause the private keys are not stored or replicated anywhere else, thus reducing therisk of unauthorized access.
How do I unlink the YubiKey from Okta?
To remove your YubiKey from Okta
-
Login to the Okta portal
-
Click your name to expand the drop down list and then select Settings
-
Navigate to the Extra Verifications section and click the Remove button adjacent to the YubiKey 5 FIPS with NFC menu option.
What should I do if I forget my YubiKey PIN?
-
To reset your YubiKey PIN
-
Navigate to the YubiKey Manager page and click Applications > FIDO2.
-
Click the Reset FIDO button and follow the prompts. Please note that resetting yourFIDO2 YubiKey essentially returns it to a “factory new” state. You’ll need to go throughthe process of enrolling a security key, just as you did when you first got it.
-
Can’t access or reset your YubiKey?
-
If you’re without your YubiKey or forgot your PIN and had to reset, you can still access
-
Okta by choosing an alternative MFA method during the login process
-
Log into Okta as usual until you reach the MFA prompt.
-
Click Cancel.
-
Click the drop-down list arrow and select an alternate MFA method.
-
Select a verification method from the list of previously configured options, such as OktaVerify or Google Authenticator
-
Click Retry.
-
Complete the MFA logon process.
-
Re-enroll your security key ONLY IF you reset your YubiKey.