Yubikey Second Factor
The Yubikey is a small material token shipped by Yubico. It sends an OTP, which is validated against Yubico server.
Prerequisites and dependencies
Configuration
In the manager (second factors), you just have to enable it:
Activation: set it to “on”
Self registration: set it to “on” if users are authorized to register their keys
Authentication level: you can overwrite here auth level for Yubikey registered users. Leave it blank keeps auth level provided by first authentication module (default: 2 for user/password based modules). It is recommended to set an higher value here if you want to give access to some apps only to users enrolled
Client ID: given by Yubico or another service
API secret key: given by Yubico or another service
Nonce (optional): if any
URL: Url of service (leave blank to use Yubico cloud services)
OTP public ID part size: leave it to default (12) unless you know what you are doing
If you want to use a custom rule for “activation” and want to keep self-registration, you must include this in your rule: $_2fDevices =~ /“type”:\s*“UBK”/s, else Yubikey will be required even if users are not registered. This is automatically done when “activation” is simply set to “on”.
Provisioning
If you don't want to use self-registration, set public part of user's yubikey in Second Factor Devices array (JSON) in your user-database. Then map it to the _2fDevices attribute (see exported variables):
[{"name" : "MyYubikey" , "type" : "UBK" , "_secret" : "########" , "epoch":"1524078936"}, ...]