<h1class="sectionedit1"id="yubikey_second_factor">Yubikey Second Factor</h1>
<divclass="level1">
<p>
The <ahref="http://www.yubico.com/yubikey"class="urlextern"title="http://www.yubico.com/yubikey"rel="nofollow">Yubikey</a> is a small material token shipped by <ahref="http://www.yubico.com"class="urlextern"title="http://www.yubico.com"rel="nofollow">Yubico</a>. It sends an OTP, which is validated against Yubico server.
</p>
</div>
<!-- EDIT1 SECTION "Yubikey Second Factor" [1-214] -->
<h2class="sectionedit2"id="prerequisites_and_dependencies">Prerequisites and dependencies</h2>
<divclass="level2">
<p>
You need <ahref="http://search.cpan.org/~massyn/Auth-Yubikey_WebClient/"class="urlextern"title="http://search.cpan.org/~massyn/Auth-Yubikey_WebClient/"rel="nofollow">Auth::Yubikey_WebClient</a> package.
</p>
<p>
You need to get an client ID and a secret key from Yubico. See <ahref="https://upgrade.yubico.com/getapikey/"class="urlextern"title="https://upgrade.yubico.com/getapikey/"rel="nofollow">Yubico API</a> page.
</p>
</div>
<!-- EDIT2 SECTION "Prerequisites and dependencies" [215-483] -->
<liclass="level1"><divclass="li"> Authentication level: you can overwrite here auth level for Yubikey registered users. Leave it blank keeps auth level provided by first authentication module <em>(default: 2 for user/password based modules)</em>. <strong>It is recommended to set an higher value here if you want to give access to some apps only to users enrolled</strong></div>
</li>
<liclass="level1"><divclass="li"> Client ID: given by Yubico or another service</div>
</li>
<liclass="level1"><divclass="li"><abbrtitle="Application Programming Interface">API</abbr> secret key: given by Yubico or another service</div>
</li>
<liclass="level1"><divclass="li"> Nonce (optional): if any</div>
</li>
<liclass="level1"><divclass="li"><abbrtitle="Uniform Resource Locator">URL</abbr>: Url of service (leave blank to use Yubico cloud services)</div>
</li>
<liclass="level1"><divclass="li"> OTP public ID part size: leave it to default (12) unless you know what you are doing</div>
<divclass="noteimportant">If you want to use a custom rule for “activation” and want to keep self-registration, you must include this in your rule: <code>$_2fDevices =~ /“type”:\s*“UBK”/s</code>, else Yubikey will be required even if users are not registered. This is automatically done when “activation” is simply set to “on”.
If you don't want to use self-registration, set public part of user's yubikey in Second Factor Devices array (JSON) in your user-database. Then map it to the _2fDevices attribute <em>(see <ahref="exportedvars.html"class="wikilink1"title="documentation:2.0:exportedvars">exported variables</a>)</em>: