YubiKey Configuration Guide

Disclaimer

YubiKeys are not supported by UCSC. This guide is intended to be completely self-service, and provide an opportunity to use your YubiKey with MFA.

If you already own a YubiKey for authentication into online services and it is not configured properly, you can lock yourself out of your other accounts. It is recommended that you buy a YubiKey strictly for use with MFA at UCSC. 

Note: Duo does not work with FireFox at this time.

If you decide to use a YubiKey for MFA at UCSC, here are the instructions

This guide will work with any Yubico One-Time Passcode (OTP) enabled YubiKey. If you are not sure if your YubiKey is Yubico OTP enabled check the products section on the Yubico website. Please note that the $20 security key from Yubico will not work with this guide.

  1. You will need to download the YubiKey Personalization Tool.
  2. Open the tool and insert your YubiKey.

Most YubiKeys come with two configuration slots. The first is already configured for you when you buy the key. We will be configuring the second blank slot. 

image

If you have a nano-sized YubiKey, you will also want to prevent the accidental triggering of the first slot. To do this go to the extended settings to disable fast triggering which prevents the accidental triggering of the first slot.

image

Once you’ve verified that your YubiKey has two slots, is updatable, and supports Yubico OTP you are ready to start the configuration!

  1. Select Yubico OTP mode in the about page. Select the quick option.

image

The Yubico OTP tab generates a new public and private identity and secret key each time the tab is open. These values are not written to the device until “Write Configuration” is clicked.

  1. Select configuration slot 2. Then click regenerate. Uncheck Hide values.

image

You will need the Serial Number (in decimal format), Private Identity(In Hex), and Secret Key(In Hex) to add the YubiKey to your Duo account. There is no way to read your existing Public Identity, Private Identity, and Secret Key off the token once it has been written. So write them down! You will need them if you use this YubiKey with other services in the future.

Double check your work. There is no going back after this step.

  1. Click write configuration.

Your YubiKey is now configured! Your next step is to provide the Serial number, private identity and secret key to the Help Desk team. Please provide these in the following comma separated format.

{Serial in Decimal}, {Private Identity}, {Secret Key}

01231337, 0c 87 99 55 78 ee, a4 d0 93 a9 bd 09 e1 24 e9 17 b6 72 03 56 a1 3b

  1. Head to itrequest.ucsc.edu and click on “Get help, Open a Support Ticket”.

image

  1. Click on Get Help - Open a Ticket

image

  1. On the left-hand side of the pane, navigate to the Self-Service dropdown. Select Get Help - Open a Ticket.
  2. Fill out the ticket with the following information.
    • Client: Should be your name.  
    • Keyword/Category: should be MFA Token.
    • Description: Please make sure to ask the Support Center to secure the ticket and assign to the appropriate technician to add the YubiKey. Do this before posting the YubiKey serial, private identity and secret key into the ticket!
Filled out ticket details
  1. Click submit.
  2. A technician will secure the ticket so that only you and the tech will be able to see the following credentials. Please provide these in the following comma separated format.

    {Serial in Decimal}, {Private Identity}, {Secret Key}

    01231337, 0c 87 99 55 78 ee, a4 d0 93 a9 bd 09 e1 24 e9 17 b6 72 03 56 a1 3b

  3. Once the YubiKey has been added, go to any CruzID Gold site to test the key. Select any device from the dropdown and select the "Enter a Passcode" button. 

  MFA Authentication Screen

  1. Insert the YubiKey into your computer. Depending on which slot was programmed, press and/or hold the button on the YubiKey to generate a passcode. The first slot is used to generate the passcode when the YubiKey button is touched for between 0.3 and 1.5 seconds and released. The second slot is used if the button is touched between 2 and 5 seconds.