Integrate YubiKey HOTP with Centrify Hyper-scalable Privileged Access Service
The HOTP algorithm is an event-based OTP algorithm, where the changing factor is an event counter. HOTP uses a counter that increases each time a code is created and therefore, is time independent
This document is an end-to-end guide for integrating Yubikeys with the Centrify PAS using the OATH-HOTP.
Before you begin, you will need the following:
- Centrify PAS tenant. You can register a tenant here.
- Yubico personalization tool. Download the tool from here.
- Yubico Keys. Different keys can be compared at here/.
Note: A Yubico Neo key is used in this document walkthrough.
To setup your Yubikey:
- Insert your Yubikey in your USB port. The Yubikey is a full-featured key with USB contacts. To learn more about its additional capabilities, see YubiKey NEO
- Configure the Yubikey.
- Start the Yubikey personalization tool.
- Select OATH-HOTP.
- Click the Advanced button.
- Ensure you are on the OATH-HOTP configuration tab.
- Ensure the Yubikey is inserted and can be read.
- Ensure Configuration Slot 2 is selected.
- If OATH Token Identifier is already selected, deselect it.
- Select the 6 digits option.
- Generate a secret key.
- Once the key is generated, highlight the key and copy it to a safe location. This key will be in a later step.
- Write the above configuration to the key.
- Confirm the configuration is written and no errors are displayed.
To Integrate Yubikey with Hyper-scalable PAS:
- Log into the Centrify Portal as a Cloud Admin user and navigate to the Settings tab.
- Select Authentication > OATH Tokens.
- Click on Bulk Token Import. This opens the CSV file for the Yubikey token details.
- Complete the bulk import spreadsheet as shown in the example below and save the file.
Note: Ensure you paste the previously copied HEX key into the appropriate cell.
- Browse to the saved spreadsheet and upload it.
- Click Next to complete the key imports.
- When you are done, you should see a configuration similar to this:
- Create your custom Authentication Profile specifying the required options for the Multi-Factor Authentication profile.
Note: Ensure you select OATH OTP Client on the either the 1st or 2nd challenge.
- Enable the Login Authentication option.
- Select a previously configured Login Profile.
- Enable OATH OTP in the Policies Set.
Now that the configuration and integration is complete, users can use the Yubikey to login to Centrify Hyper-scalable Privileged Access Service.
To see your Yubikey integration:
- Start the Centrify Portal.
- Provide your login ID and click Next to go to the MFA login screen.
- Touch the Yubikey for about 3 seconds, to generate the counter-based HOTP
- You should be now be able to successfully log into your Centrify Portal environment.
For questions about how Centrify can help you consolidate user identities and solve the number 1 cause of all cyber-attacks, please contact us.