Integrate YubiKey HOTP with Centrify Hyper-scalable Privileged Access Service

The HOTP algorithm is an event-based OTP algorithm, where the changing factor is an event counter. HOTP uses a counter that increases each time a code is created and therefore, is time independent

This document is an end-to-end guide for integrating Yubikeys with the Centrify PAS using the OATH-HOTP.

Before you begin, you will need the following:

  • Centrify PAS tenant. You can register a tenant here.
  • Yubico personalization tool. Download the tool from here.
  • Yubico Keys. Different keys can be compared at here/.

Note:   A Yubico Neo key is used in this document walkthrough.

To setup your Yubikey:

  1. Insert your Yubikey in your USB port. The Yubikey is a full-featured key with USB contacts. To learn more about its additional capabilities, see YubiKey NEO
  2. Configure the Yubikey.
    1. Start the Yubikey personalization tool.
    2. Select OATH-HOTP.
    3. Click the Advanced button.
    4. Ensure you are on the OATH-HOTP configuration tab.
    5. Ensure the Yubikey is inserted and can be read.
    6. Ensure Configuration Slot 2 is selected.
    7. If OATH Token Identifier is already selected, deselect it.
    8. Select the 6 digits option.
    9. Generate a secret key.
    10. Once the key is generated, highlight the key and copy it to a safe location. This key will be in a later step.
    11. Write the above configuration to the key.
    12. Confirm the configuration is written and no errors are displayed.

To Integrate Yubikey with Hyper-scalable PAS:

  1. Log into the Centrify Portal as a Cloud Admin user and navigate to the Settings tab.
  2. Select Authentication > OATH Tokens.
  3. Click on Bulk Token Import. This opens the CSV file for the Yubikey token details.
  4. Complete the bulk import spreadsheet as shown in the example below and save the file.

    Note:   Ensure you paste the previously copied HEX key into the appropriate cell.

  5. Browse to the saved spreadsheet and upload it.
  6. Click Next to complete the key imports.
  7. When you are done, you should see a configuration similar to this:
  8. Create your custom Authentication Profile specifying the required options for the Multi-Factor Authentication profile.

    Note:   Ensure you select OATH OTP Client on the either the 1st or 2nd challenge.

  9. Enable the Login Authentication option.
  10. Select a previously configured Login Profile.
  11. Enable OATH OTP in the Policies Set.

Now that the configuration and integration is complete, users can use the Yubikey to login to Centrify Hyper-scalable Privileged Access Service.

To see your Yubikey integration:

  1. Start the Centrify Portal.
  2. Provide your login ID and click Next to go to the MFA login screen.
  3. Touch the Yubikey for about 3 seconds, to generate the counter-based HOTP
  4. You should be now be able to successfully log into your Centrify Portal environment.

For questions about how Centrify can help you consolidate user identities and solve the number 1 cause of all cyber-attacks, please contact us.