Yubico Authentication

Christopher Dakin

Introduction

LogonBox supports user authentication via a YubiKey fob from Yubico. A YubiKey is a small keyfob that plugs into a USB port, a user touches a conductive pad on the YubiKey after which the key types in a unique one time password into the attached computer. This article explains how to configure your LogonBox to use this method of authentication.

 

Configuring the Authentication Scheme

It is important to note that you can apply different authentication flows for several different types of logon, which can differ depending on the product in use.

For example, with SSPR you might have: User Login, Password Reset, Account Unlock, Admin, SSO, Windows Login and Windows RDP Login.

And with the VPN. this would be: User Login, Admin and LogonBox VPN Client.

 

Each of these can have its own default authentication flow configured, but for this article, we shall alter Password Reset.

Navigate to Authentication->Schemes->Password Reset. Note that by default this is configured with an orange Username module and a green User Selective 2FA one.

First, note that Yubico is available both an orange module and as a green one.

 

We can use a YubiKey as part of a multi-factor login with some other authentication, hence the option to use the green module. However, part of a YubiKey's unique one time code contains some static characters that you can link to a username. Hence, a YubiKey can be used to establish the identity of the user as well as present a password - so in this case we could opt to use the orange module and not have to even ask for a username.

Let’s use the green module for this example. Remove the existing gree module by clicking the trash icon inside the module.

 

Now add the Yubico module by clicking the plus icon next to green Yubico to add it into the authentication flow and click Save at the bottom.

 

Yubico options

Now you must get a Yubico Client ID and Secret key. Edit the Authentication Scheme again and click on the edit icon inside the Yubico module to see where you need to enter these values.

In this edit page you will see a link that will take you to Yubico's API key page here.

 

Click on the link to Yubico, but click to open in a new tab. Type in your email address as requested and agree to the terms and conditions.

Insert your YubiKey into a spare USB port.

Now click in the YubiKey OTP field and touch your YubiKey. The Key will type in a unique code and submit the page for you.

 

You will now be presented with your Client ID and Secret Key, make a note of these.

 

Now go back to your LogonBox's Authentication scheme again and Edit the Yubico module again.

Type in your Client ID and Secret Key and click Apply.

 

 

Linking YubiKeys with users

Your LogonBox is now ready to work with YubiKeys, but first you must link any YubiKeys with the people who will be using them, which can only be done as the admin account.

You must have access to the YubiKey that is to be linked and it must be plugged into a USB port.

Navigate to User Directory->Users and next to the user you want to link this key to, click the green gears icon, then select Allocate YubiKey.

 

Give the Yubikey a Name (this can be anything you wish, it is just for your reference). In this example we'll just use the user's username as the name.

Click in the YubiKey field and touch the YubiKey, which will type in its own one time password. Click Create to complete the process.

 

This user is now set up to authenticate with their YubiKey. A user can have more than one Key linked to their account, just continue allocating new keys as you require them (for example if a user has one key at work and another at home). 

Click on the green gears icon again and select Manage Yubikeys to see which keys a user has linked to their account. You can delete a key associated with this account by clicking the delete trash icon here.

 

Continue setting up the rest of your users with their keys.

 

Testing

As we have configured this scheme for Password Reset on an SSPR product, to test this click on the Reset Password link on the main LogonBox portal.

 

The user is prompted for their username, type the username and click Next.

 

The user should insert their YubiKey and touch it to activate it, which will insert in the one-time password for them and press enter to go to the next stage. 

 

The authentication succeeds and the user is now prompted to change their password.

 

The process should be similar for all the other Authentication Flows that you may want to use.